CVE-2025-66286 Overview
CVE-2025-66286 is an API design flaw affecting WebKitGTK and WPE WebKit. The vulnerability allows untrusted web content to perform IP connections, Domain Name System (DNS) lookups, and Hypertext Transfer Protocol (HTTP) requests without going through the expected security control. Applications relying on the WebPage::send-request signal handler to approve or reject network requests can be bypassed by certain HTTP request types. The flaw is categorized under [CWE-639] (Authorization Bypass Through User-Controlled Key). Exploitation requires user interaction, such as rendering attacker-controlled web content in an embedded WebKit view.
Critical Impact
Untrusted web content can bypass application-level network request filtering, enabling unauthorized network activity that host applications believed they could intercept and block.
Affected Products
- WebKitGTK
- WPE WebKit
- Applications embedding WebKitGTK or WPE WebKit that rely on WebPage::send-request for network filtering
Discovery Timeline
- 2026-04-23 - CVE-2025-66286 published to the National Vulnerability Database (NVD)
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2025-66286
Vulnerability Analysis
WebKitGTK and WPE WebKit expose the WebPage::send-request signal to host applications. Applications connect handlers to this signal to inspect, modify, or reject outbound network requests originating from rendered web content. The design intent is to provide a complete chokepoint for network egress policy enforcement.
The vulnerability stems from incomplete coverage of this signal. Specific classes of HTTP requests are dispatched through code paths that do not emit WebPage::send-request. As a result, host applications never observe these requests and cannot apply their policy decisions. This breaks the security contract documented by the WebKit API.
The practical impact is limited to confidentiality exposure at the network layer. Web content can trigger DNS resolution and TCP connections to attacker-controlled hosts, potentially exfiltrating referrer data, cookies attached by the network stack, or session identifiers embedded in URLs.
Root Cause
The root cause is an authorization bypass through inconsistent enforcement. Not every network request path within the WebKit network process invokes the host-application signal handler before issuing the request. Requests that follow alternative dispatch paths reach the network without policy review.
Attack Vector
An attacker hosts crafted web content that triggers the bypass-eligible request type. When a victim views this content inside an application embedding WebKitGTK or WPE WebKit, requests are issued directly by the network stack. The host application's filtering logic, normally invoked through WebPage::send-request, is not consulted. Successful exploitation requires user interaction to load the malicious content.
No verified public exploit code is available. Refer to the WebKit Bug Report and the Red Hat CVE Advisory for upstream technical analysis.
Detection Methods for CVE-2025-66286
Indicators of Compromise
- Outbound DNS queries from WebKitGTK or WPE WebKit processes to domains not present in application allowlists
- HTTP or HTTPS connections originating from embedded browser processes that were not logged by the host application's WebPage::send-request handler
- Discrepancies between application-level network audit logs and host-level network telemetry for the same process
Detection Strategies
- Compare network connection logs from operating system or endpoint telemetry against the application's own request audit log to identify requests the application never saw
- Inventory installed webkit2gtk and wpewebkit package versions across Linux endpoints and flag versions predating the upstream fix
- Inspect embedded application configurations to identify those that rely on WebPage::send-request as a security boundary
Monitoring Recommendations
- Capture process-level network telemetry for known WebKit consumers such as GNOME Web (Epiphany), Evolution, and embedded kiosk applications
- Alert on unexpected destination domains from processes that should route through application-controlled proxies
- Track upstream WebKitGTK and WPE WebKit release notes for the fix commit referenced in the Red Hat Bug Report
How to Mitigate CVE-2025-66286
Immediate Actions Required
- Identify all applications on managed endpoints that link against libwebkit2gtk or libwpewebkit and depend on WebPage::send-request for network policy
- Apply vendor-supplied updates for WebKitGTK and WPE WebKit as soon as distribution packages become available
- Restrict embedded WebKit views from loading arbitrary remote content where possible
Patch Information
Monitor distribution security trackers, including the Red Hat CVE Advisory, for fixed package versions. Upstream tracking is available in the WebKit Bug Report.
Workarounds
- Enforce network egress policy at the operating system or network layer rather than relying solely on WebPage::send-request
- Disable JavaScript and remote content loading in embedded WebKit views that do not require it
- Run WebKit-embedding applications under sandboxing frameworks such as bubblewrap or firejail with explicit network restrictions
# Example: restrict network access for a WebKit-embedding application with firejail
firejail --net=none --noprofile /usr/bin/example-webkit-app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
