libsoup is an HTTP client/server library for GNOME, hosted at https://gitlab.gnome.org/GNOME/libsoup
A number of CVE's have recently been recorded against it (due in part to bug bounty submissions via YesWeHack) - fixes are available in the libsoup 3.6.x releases for some, but not all of them. Some fixes that also affect the older 2.x branch have been backported upstream in https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/449 though upstream encourages migration to version 3.x instead if possible. CVE-2025-32049 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 Denial of service on libsoup via soup-websocket-connection through "process_contents" leads to unbounded memory allocation when receiving fragmented websocket messages YesWeHack Report ID: #YWH-PGM9867-12 Date Reported on GNOME GitLab: August 21, 2024 (#390) Date Reported on YesWeHack: November 25, 2024 Date Fixed: Not Fixed Fix Version: Not Fixed Fix: Not Fixed CVE: CVE-2025-32049 CWE: CWE-617: Reachable Assertion, CWE-770: Allocation of Resources Without Limits or Throttling Discovery Credit: Ignacio Casal Quinteiro Additional Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency The websocket protocol allows sending a large message in small chunks called frames. The problem in libsoup's implementation of this feature, is that there is no restriction on the total length of a fragmented message sent through multiple frames. Every time a message fragment is received, the message_data buffer is expanded. The problem arises when client never terminates his message, and keeps sending message fragments. The outcome is that the receiving process terminates with an error once the buffer's size gets too big: (process:26989): GLib-ERROR **: 17:39:20.346: adding 98303 to array would overflow Trace/breakpoint trap (core dumped) The issue originates in process_contents function in soup-websocket-connection.c when dealing with priv->message_data. Proposed fix (not yet accepted/merged): https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 CVE-2025-32050 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Integer overflow in append_param_quoted YesWeHack Report ID: #YWH-PGM9867-9 Date Reported: October 28, 2024 Date Fixed: November 22, 2024 Fix Version: 3.6.1 Fix: 9bb0a55d CVE: CVE-2025-32050 CWE: CWE-127: Buffer Under-read, CWE-190: Integer Overflow Discovery Credit: chamal de silva Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency The likely impact of this bug is denial of service. Since there is buffer under-read, there is also theoretical confidentiality impact. [Triager] thinks buffer underwrite might also be possible, but is not certain. The libsoup function append_param_quoted is vulnerable to an Integer Overflow. CVE-2025-32051 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/401 Segmentation fault when parsing malformed data URI YesWeHack Report ID: #YWH-PGM9867-11 Date Reported to YesWeHack: November 21, 2024 Date Fixed: November 22, 2024 Fix Version: 3.6.1 Fix: 0713ba4a and 79cfd65c CVE: CVE-2025-32051 CWE: NULL Pointer Dereference (CWE-476) Discovery Credit: Anonymous Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency (This anonymous discovery credit is in addition to Ar jun.) libsoup's soup_uri_decode_data_uri() function, prior to libsoup 3.6.1, may crash when processing a malformed data URI, resulting in denial of service. Report summary: Using a custom fuzzing harness, I discovered that these two payloads both trigger a segmentation fault in soup_uri_decode_data_uri(uri, NULL): data:.///, data:/.// CVE-2025-32052 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Heap buffer over-read in soup-content-sniffer.c:sniff_unknown() Date Reported: November 14, 2024 Date Fixed: November 22, 2024 Fix Version: 3.6.1 Fix: f182429e CVE: CVE-2025-32052 CWE: CWE-126: Buffer Over-read Discovery Credit: Ar jun libsoup prior to version 3.6.1 is vulnerable to a heap buffer over-read in the content sniffer's sniff_unknown() function. libsoup clients may read out of bounds in response to a crafted HTTP response sent by an HTTP server. CVE-2025-32053 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/426 Heap buffer over-read in soup-content-sniffer.c:sniff_feed_or_html() and soup-content-sniffer.c:skip_insignificant_space() Date Reported: November 14, 2024 Date Fixed: November 22, 2024 Fix Version: 3.6.1 Fix: eaed42ca CVE: CVE-2025-32053 CWE: CWE-126: Buffer Over-read Discovery Credit: Ar jun libsoup prior to version 3.6.1 is vulnerable to heap buffer over-reads in the content sniffer's sniff_feed_or_html() and skip_insignificant_space() functions. libsoup clients may read out of bounds in response to a crafted HTTP response sent by an HTTP server. WARNING: the fix for this issue possibly introduces another security vulnerability, #422 (closed). CVE-2025-32906 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/404 Out of bounds reads in soup_headers_parse_request() Date Reported: November 25, 2024 Date Fixed: February 24, 2025 Fix Version: 3.6.5 Fix: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440 CVE: CVE-2025-32906 Discovery Credit: Tan Wei Chong CVE-2025-32907 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/428 Denial of service in server when client requests a large amount of overlapping ranges with Range header YesWeHack Report ID: #YWH-PGM9867-13 Date Reported: November 28, 2024 Date Fixed: Not Fixed Fix Version: Not Fixed Fix: Not Fixed CVE: CVE-2025-32907 CWE: CWE-405: Asymmetric Resource Consumption (Amplification) Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup's implementation of HTTP range requests is vulnerable to a resource consumption attack. A malicious client may request the same range many times in a single HTTP request, causing the server to use large amounts of memory. CVE-2025-32908 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/429 Denial of service on libsoup through server/http2/soup-server-message-io-http2.c via "on_frame_recv_callback" due to assertion failure when client sends certain values in pseudo-headers in a HEADERS frame YesWeHack Report ID: #YWH-PGM9867-14 Date Reported: December 1, 2024 Date Fixed: Not Fixed Fix Version: Not Fixed Fix: Not Fixed CVE: CVE-2025-32908 CWE: CWE-617: Reachable Assertion Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup's HTTP/2 server doesn't fully validate the values of the pseudo-headers :scheme, :authority, and :path. A client may crash the server by sending a malicious HTTP request. CVE-2025-32909 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/431 NULL Pointer Dereference on libsoup through function "sniff_mp4" in soup-content-sniffer.c YesWeHack Report ID: #YWH-PGM9867-15 Date Reported: December 2, 2024 Date Fixed: January 8, 2025 Fix Version: 3.6.2 Fix: ba4c3a6f CVE: CVE-2025-32909 CWE-476: NULL Pointer Dereference Discovery Credit: Alon Zahavi Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup's SoupContentSniffer, prior to version 3.6.2, is vulnerable to a null pointer dereference in its sniff_mp4 function. A malicious HTTP server may cause the libsoup client to crash. CVE-2025-32910 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/432 Null pointer deference on libsoup via /auth/soup-auth-digest.c through "soup_auth_digest_authenticate" on client when server omits the "realm" parameter in an Unauthorized response with Digest authentication esWeHack Report ID: #YWH-PGM9867-17 Date Reported: December 8, 2024 Date Fixed: January 10, 2025 Fix Version: 3.6.3 Fix: !417 (merged) CVE: CVE-2025-32910 CWE-476: NULL Pointer Dereference Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup prior to version 3.6.3 is vulnerable to a null pointer dereference in soup_auth_digest_authenticate(). A malicious HTTP server may cause the libsoup client to crash. CVE-2025-32911 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/433 Double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" GHashTable value YesWeHack Report ID: #YWH-PGM9867-19 Date Reported: December 8, 2024 Date Fixed: January 8, 2025 Fix Version: 3.6.3 Fix: !422 (merged) CVE: CVE-2025-32911 CWE-590: Free of Memory Not on the Heap Discovery Credit: Anonymous Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup prior to version 3.6.3 is vulnerable to a free of memory not on the heap in soup_message_headers_get_content_disposition(). A malicious HTTP client may induce memory corruption in the libsoup server. Michael's note: theoretically this could result in remote code execution, so this is particularly not good. CVE-2025-32912 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/434 NULL pointer dereference in client when server omits the "nonce" parameter in an Unauthorized response with Digest authentication YesWeHack Report ID: #YWH-PGM9867-20 Date Reported: December 9, 2024 Date Fixed: February 8, 2025 Fix Version: 3.6.5 Fix: !417 (merged) and !434 (merged) and 910ebdcd CVE: CVE-2025-32912 CWE-476: NULL Pointer Dereference Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup prior to 3.6.5 is vulnerable to a null pointer dereference in SoupAuthDigest. A malicious HTTP server may cause the libsoup client to crash. CVE-2025-32913 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/435 NULL pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in Content-Disposition header YesWeHack Report ID: #YWH-PGM9867-21 Date Reported: December 9, 2024 Date Fixed: January 8, 2025 Fix Version: 3.6.2 Fix: !422 (merged) CVE: CVE-2025-32913 CWE-476: NULL Pointer Dereference Discovery Credit: Jan Różański Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup prior to 3.6.2 is vulnerable to a null pointer dereference in soup_message_headers_get_content_disposition() . A malicious HTTP peer may crash a libsoup client or server that uses this function. CVE-2025-32914 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/436 OOB Read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process YesWeHack Report ID: #YWH-PGM9867-23 Date Reported: April 9, 2025 Date Fixed: Not Fixed Fix Version: Not Fixed Fix: Not Fixed CVE: CVE-2025-32914 CWE: Out-of-bounds Read (CWE-125) Discovery Credit: Alon Zahavi Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency libsoup is vulnerable to an out of bounds read in soup_multipart_new_from_message(). A malicious HTTP client may induce the libsoup server to read out of bounds. -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris
