CVE-2025-4035
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 | 0:3.6.5-3.el10_0.6 < * | unaffected |
Weaknesses
- CWE-178: Improper Handling of Case Sensitivity
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://access.redhat.com/errata/RHSA-2025:8128
- https://access.redhat.com/security/cve/CVE-2025-4035
- https://bugzilla.redhat.com/show_bug.cgi?id=2362651
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/443
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.