CVE-2025-2784

Name
CVE-2025-2784
Description
A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vdb-entry https://access.redhat.com/security/cve/CVE-2025-2784
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2354669
https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
vendor-advisory https://access.redhat.com/errata/RHSA-2025:7505
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8126
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8139
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8132
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8140
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8252
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8480
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8481
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8482
vendor-advisory https://access.redhat.com/errata/RHSA-2025:8663
vendor-advisory https://access.redhat.com/errata/RHSA-2025:9179
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:21657

Match rules

CPE URI Source package Min version Max version
shopxo >= 0 < 3.6.5
cpe:/o:redhat:enterprise_linux:10.0 shopxo >= 0:3.6.5-3.el10_0 < *
cpe:/o:redhat:rhel_els:7 shopxo >= 0:2.62.2-6.el7_9 < *
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 0:2.62.3-9.el8_10 < *
cpe:/o:redhat:rhel_aus:8.2::baseos shopxo >= 0:2.62.3-1.el8_2.5 < *
cpe:/a:redhat:rhel_aus:8.4::appstream shopxo >= 0:2.62.3-2.el8_4.5 < *
cpe:/o:redhat:rhel_e4s:8.6::baseos shopxo >= 0:2.62.3-2.el8_6.5 < *
cpe:/a:redhat:rhel_eus:8.8::appstream shopxo >= 0:2.62.3-3.el8_8.5 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 0:2.72.0-10.el9_6.2 < *
cpe:/a:redhat:rhel_e4s:9.0::appstream shopxo >= 0:2.72.0-8.el9_0.5 < *
cpe:/a:redhat:rhel_eus:9.2::appstream shopxo >= 0:2.72.0-8.el9_2.5 < *
cpe:/a:redhat:rhel_eus:9.4::appstream shopxo >= 0:2.72.0-8.el9_4.5 < *
cpe:2.3:a:gnome:libsoup:*:*:*:*:*:*:*:* libsoup >= None < 3.6.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libsoup edge-community 2.74.3-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
libsoup edge-community 2.74.3-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
libsoup 3.22-community 2.74.3-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable