Nixpkgs security tracker

Untriaged

Permalink CVE-2025-32908

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 1 year ago

Libsoup: denial of service on libsoup through http/2 server

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).

References

https://access.redhat.com/security/cve/CVE-2025-32908 vdb-entryx_refsource_REDHAT
RHBZ#2359343 issue-trackingx_refsource_REDHAT
RHSA-2025:7505 vendor-advisoryx_refsource_REDHAT

Affected products

libsoup

<3.6.5

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixpkgs-unstable 3.6.0
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixpkgs-unstable 2.4
- nixos-unstable-small 2.4

Package maintainers

@lovek323 Jason O'Conal <jason@oconal.id.au>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>