CVE-2025-46421: libsoup Auth Bypass Vulnerability

CVE-2025-46421 Overview

A credential leakage vulnerability has been identified in libsoup, the HTTP client/server library for GNOME. When libsoup clients encounter an HTTP redirect (3xx response), they incorrectly forward the HTTP Authorization header to the new host specified in the redirect location. This behavior allows a malicious or compromised redirect target to capture authentication credentials, enabling impersonation attacks against the original server that issued the redirect.

Critical Impact
Attackers can steal HTTP Authorization credentials by redirecting libsoup clients to attacker-controlled servers, enabling user impersonation and unauthorized access to protected resources.

Affected Products

libsoup (GNOME HTTP library)
Applications and services utilizing libsoup for HTTP client functionality
Red Hat Enterprise Linux distributions with vulnerable libsoup packages

Discovery Timeline

April 24, 2025 - CVE-2025-46421 published to NVD
July 28, 2025 - Last updated in NVD database

Technical Details for CVE-2025-46421

Vulnerability Analysis

This vulnerability represents an information disclosure flaw (CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere) in the libsoup library's HTTP redirect handling logic. When a libsoup client receives an HTTP redirect response, the library fails to strip sensitive authentication headers before following the redirect to a potentially different host.

In standard HTTP security practice, authentication credentials should be scoped to the origin that requested them. The Authorization header, which typically contains credentials such as Basic authentication tokens, Bearer tokens, or other authentication schemes, should never be automatically forwarded to third-party hosts. The libsoup library's failure to implement this security boundary allows credential theft through redirect manipulation.

The attack requires user interaction in the form of the victim making an HTTP request that can be redirected. The attack complexity is elevated because the attacker must either control an intermediate network position to inject redirects or compromise a legitimate server to issue malicious redirects.

Root Cause

The root cause lies in libsoup's HTTP redirect processing code, which does not differentiate between same-origin and cross-origin redirects when handling authentication headers. When processing a 3xx redirect response, the library copies all headers from the original request to the follow-up request directed at the new URL, including the sensitive Authorization header. This violates the principle that authentication credentials should remain within their original security context.

Attack Vector

The attack operates over the network and follows this general exploitation flow:

A victim application using libsoup initiates an authenticated HTTP request to a legitimate server
The attacker intercepts or controls the response to inject a redirect (HTTP 301, 302, 303, 307, or 308) pointing to an attacker-controlled server
The libsoup client follows the redirect and mistakenly includes the Authorization header in the request to the malicious server
The attacker captures the credentials from the forwarded request
The attacker can now impersonate the victim to the original server using the stolen credentials

This vulnerability affects confidentiality and integrity as stolen credentials enable both unauthorized data access and the ability to perform actions as the compromised user.

Detection Methods for CVE-2025-46421

Indicators of Compromise

Unexpected outbound HTTP requests containing Authorization headers to unknown or suspicious external hosts
Network traffic logs showing authentication headers being sent following redirect chains to third-party domains
Server-side logs indicating authentication attempts from unusual source IP addresses or geographic locations

Detection Strategies

Monitor network traffic for HTTP redirects that cross domain boundaries while carrying authorization headers
Implement deep packet inspection to detect Authorization headers in requests following redirect responses
Audit application logs for redirect chains that terminate at unexpected or untrusted hosts
Review system package versions to identify vulnerable libsoup installations

Monitoring Recommendations

Deploy network-level monitoring to flag HTTP requests containing Authorization headers to domains outside the organization's trusted list
Configure SIEM rules to correlate redirect responses with subsequent authenticated requests to different hosts
Enable verbose logging in applications using libsoup to track HTTP redirect behavior
Monitor for unauthorized access patterns that may indicate credential theft and impersonation

How to Mitigate CVE-2025-46421

Immediate Actions Required

Update libsoup to the latest patched version available for your distribution
Apply Red Hat security advisories if running Red Hat Enterprise Linux or derivative distributions
Audit applications that rely on libsoup for HTTP client functionality and prioritize updates
Consider rotating credentials for services where libsoup clients may have transmitted authentication data

Patch Information

Multiple Red Hat Security Advisories address this vulnerability across different RHEL versions and architectures. Organizations running Red Hat Enterprise Linux should apply the relevant security updates:

Additional technical details are available in Red Hat Bugzilla Report #2361962 and the GNOME Libsoup Issue #439.

Workarounds

Disable automatic redirect following in libsoup clients and implement manual redirect handling with credential stripping
Deploy a network proxy that strips Authorization headers from cross-origin redirect requests
Restrict outbound network access for applications using libsoup to limit potential credential exfiltration destinations
Use short-lived or request-scoped authentication tokens to minimize the impact window of credential theft

bash

# Update libsoup on Red Hat Enterprise Linux systems
sudo dnf update libsoup --security

# Verify installed libsoup version
rpm -qa | grep libsoup

# Check for available security updates
sudo dnf updateinfo list security

CVE-2025-46421 Overview

Critical Impact
Attackers can steal HTTP Authorization credentials by redirecting libsoup clients to attacker-controlled servers, enabling user impersonation and unauthorized access to protected resources.

Affected Products

libsoup (GNOME HTTP library)
Applications and services utilizing libsoup for HTTP client functionality
Red Hat Enterprise Linux distributions with vulnerable libsoup packages

Discovery Timeline

April 24, 2025 - CVE-2025-46421 published to NVD
July 28, 2025 - Last updated in NVD database

Technical Details for CVE-2025-46421

Vulnerability Analysis

Root Cause

Attack Vector

The attack operates over the network and follows this general exploitation flow:

A victim application using libsoup initiates an authenticated HTTP request to a legitimate server
The attacker intercepts or controls the response to inject a redirect (HTTP 301, 302, 303, 307, or 308) pointing to an attacker-controlled server
The libsoup client follows the redirect and mistakenly includes the Authorization header in the request to the malicious server
The attacker captures the credentials from the forwarded request
The attacker can now impersonate the victim to the original server using the stolen credentials

This vulnerability affects confidentiality and integrity as stolen credentials enable both unauthorized data access and the ability to perform actions as the compromised user.

Detection Methods for CVE-2025-46421

Indicators of Compromise

Unexpected outbound HTTP requests containing Authorization headers to unknown or suspicious external hosts
Network traffic logs showing authentication headers being sent following redirect chains to third-party domains
Server-side logs indicating authentication attempts from unusual source IP addresses or geographic locations

Detection Strategies

Monitor network traffic for HTTP redirects that cross domain boundaries while carrying authorization headers
Implement deep packet inspection to detect Authorization headers in requests following redirect responses
Audit application logs for redirect chains that terminate at unexpected or untrusted hosts
Review system package versions to identify vulnerable libsoup installations

Monitoring Recommendations

Deploy network-level monitoring to flag HTTP requests containing Authorization headers to domains outside the organization's trusted list
Configure SIEM rules to correlate redirect responses with subsequent authenticated requests to different hosts
Enable verbose logging in applications using libsoup to track HTTP redirect behavior
Monitor for unauthorized access patterns that may indicate credential theft and impersonation

How to Mitigate CVE-2025-46421

Immediate Actions Required

Update libsoup to the latest patched version available for your distribution
Apply Red Hat security advisories if running Red Hat Enterprise Linux or derivative distributions
Audit applications that rely on libsoup for HTTP client functionality and prioritize updates
Consider rotating credentials for services where libsoup clients may have transmitted authentication data

Patch Information

Additional technical details are available in Red Hat Bugzilla Report #2361962 and the GNOME Libsoup Issue #439.

Workarounds

Disable automatic redirect following in libsoup clients and implement manual redirect handling with credential stripping
Deploy a network proxy that strips Authorization headers from cross-origin redirect requests
Restrict outbound network access for applications using libsoup to limit potential credential exfiltration destinations
Use short-lived or request-scoped authentication tokens to minimize the impact window of credential theft

bash

# Update libsoup on Red Hat Enterprise Linux systems
sudo dnf update libsoup --security

# Verify installed libsoup version
rpm -qa | grep libsoup

# Check for available security updates
sudo dnf updateinfo list security

CVE-2025-46421: libsoup Auth Bypass Vulnerability

CVE-2025-46421 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-46421

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-46421

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-46421

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-46421: libsoup Auth Bypass Vulnerability

CVE-2025-46421 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-46421

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-46421

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-46421

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform