Flaw in Libsoup Caching Mechanism Affecting Red Hat Products
CVE-2025-9901

5.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 3 September 2025

What is CVE-2025-9901?

In Libsoup, a flaw exists in its caching mechanism known as SoupCache, which improperly handles the HTTP Vary header. This oversight can lead to the reuse of cached responses across different requests without adequately varying them, particularly regarding request headers that indicate language preference or authentication status. As a result, this can inadvertently expose sensitive user information in environments such as proxies or systems with multiple users. Although it may not impact typical desktop usage, its implications raise serious confidentiality concerns in shared usage scenarios.

References

https://access.redhat.com/security/cve/CVE-2025-9901

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2392790

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Sep 3, 2025

Credit

Red Hat would like to thank zkbytes for reporting this issue.