CVE-2025-9901 MEDIUM

CVE-2025-9901: Libsoup: improper handling of http vary header in libsoup caching

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-524
Published September 3, 2025
Last update June 30, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Key dates

02Disclosure timeline

September 3, 2025 CVE published
June 30, 2026 Record updated