CVE-2025-46421: Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server
First published: Thu Apr 24 2025(Updated: )
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libsoup | <3.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-46421?
CVE-2025-46421 has a moderate severity rating due to the potential for unauthorized user impersonation.
How do I fix CVE-2025-46421?
To fix CVE-2025-46421, update your libsoup to version 3.6.5 or later, which addresses this vulnerability.
What software is affected by CVE-2025-46421?
CVE-2025-46421 affects the GNOME libsoup library versions prior to 3.6.5.
What does CVE-2025-46421 allow an attacker to do?
CVE-2025-46421 allows attackers to impersonate users by capturing their HTTP Authorization header during redirects.
When was CVE-2025-46421 reported?
CVE-2025-46421 was reported as a flaw in libsoup and is currently cataloged for public awareness.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/type
- agent/title
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-46421
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/gnome
- canonical/libsoup