Nixpkgs security tracker

Untriaged

Permalink CVE-2025-32909

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 1 year ago

Libsoup: null pointer dereference on libsoup through function "sniff_mp4" in soup-content-sniffer.c

A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

References

https://access.redhat.com/security/cve/CVE-2025-32909 vdb-entryx_refsource_REDHAT
RHBZ#2359353 issue-trackingx_refsource_REDHAT
RHSA-2025:8292 vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html

Affected products

libsoup

<3.6.2

libsoup3

mingw-freetype

spice-client-win

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.0
- nixpkgs-unstable 3.6.0
- nixos-unstable-small 3.6.0

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable 2.4
- nixpkgs-unstable 2.4
- nixos-unstable-small 2.4

Package maintainers

@lovek323 Jason O'Conal <jason@oconal.id.au>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>