API Design Flaw in WebKitGTK and WPE WebKit Exposes Network Requests
CVE-2025-66286

4.7MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Vendor
CVE Published:
23 April 2026

What is CVE-2025-66286?

An API design flaw in WebKitGTK and WPE WebKit has been uncovered, enabling untrusted web content to perform unauthorized actions such as IP connections, DNS lookups, and HTTP requests. Typically, applications utilize the WebPage::send-request signal handler to control network requests. However, this vulnerability allows certain HTTP requests to bypass this critical signal handler, leading to potential security risks.

References

https://access.redhat.com/security/cve/CVE-2025-66286
vdb-entryx_refsource_REDHAT
https://bugs.webkit.org/show_bug.cgi?id=259787
https://bugzilla.redhat.com/show_bug.cgi?id=2424652
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Albrecht DreĂź for reporting this issue.
.