Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-2784

7.0 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): HIGH

created 1 year ago

Libsoup: heap buffer over-read in `skip_insignificant_space` when sniffing content

A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

References

https://access.redhat.com/security/cve/CVE-2025-2784 vdb-entryx_refsource_REDHAT
RHBZ#2354669 issue-trackingx_refsource_REDHAT
https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 exploit
RHSA-2025:7505 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8126 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8132 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8139 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8140 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8252 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8480 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8481 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8482 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8663 vendor-advisoryx_refsource_REDHAT
RHSA-2025:9179 vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html
RHSA-2025:21657 vendor-advisoryx_refsource_REDHAT

Affected products

libsoup

*
<3.6.5

libsoup3

*

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixpkgs-unstable 3.6.0
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixpkgs-unstable 2.4
- nixos-unstable-small 2.4

Package maintainers

@lovek323 Jason O'Conal <jason@oconal.id.au>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>