CVE-2025-46421

Published: Apr 24, 2025Modified: Jul 28, 2025

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

Related CWEs

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

References (13)

https://access.redhat.com/errata/RHSA-2025:4439

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4440

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4508

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4538

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4560

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4568

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4609

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:4624

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:7436

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:7505

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2025-46421

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2361962

Source: secalert@redhat.com

https://gitlab.gnome.org/GNOME/libsoup/-/issues/439

Source: secalert@redhat.com

Timeline

No history available yet.