CVE-2025-46421 MEDIUM

CVE-2025-46421: Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-497
Published April 24, 2025
Last update November 18, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

Key dates

02Disclosure timeline

April 24, 2025 CVE published
November 18, 2025 Record updated