HTTP Header Handling Flaw in Libsoup Affects Request Processing
CVE-2025-14523

8.2HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-14523?

A vulnerability in libsoup's handling of HTTP headers permits multiple Host: headers within a single request. This may result in inconsistencies for server-side processing as it returns the last Host: header encountered. Consequently, common front proxies may disregard the last header, leading to vhost confusion. Such discrepancies can expose the system to various exploitations, including request-smuggling attacks, cache poisoning, and the circumvention of host-based access controls when an adversary injects duplicate Host headers.

References

https://access.redhat.com/security/cve/CVE-2025-14523

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2421349

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 11, 2025

Credit

Red Hat would like to thank Ky0toFu and Sovereign Tech Resilience program for reporting this issue.

JSON