CVE-2025-12105
📋 TL;DR
A use-after-free vulnerability in libsoup's HTTP/2 message queue handling allows remote attackers to crash applications by sending specific HTTP/2 request sequences. This affects GNOME applications, WebKit-based browsers, and other software using libsoup for HTTP/2 communications, potentially causing denial-of-service.
💻 Affected Systems
- GNOME applications
- WebKit-based browsers
- Applications using libsoup library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through memory corruption leading to complete system compromise, though this is less likely given the nature of the vulnerability.
Likely Case
Application crash resulting in denial-of-service, disrupting service availability for affected applications.
If Mitigated
Minimal impact with proper network segmentation and updated software.
🎯 Exploit Status
Exploitation requires precise timing of HTTP/2 request/cancel sequences, making reliable exploitation challenging but possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libsoup 3.4.6 or later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-12105
Restart Required: Yes
Instructions:
1. Update libsoup package using your distribution's package manager. 2. Restart affected applications. 3. For Red Hat systems: yum update libsoup. 4. For Debian/Ubuntu: apt update && apt upgrade libsoup.
🔧 Temporary Workarounds
Disable HTTP/2 in libsoup
linuxForce applications to use HTTP/1.1 instead of HTTP/2
export GIO_EXTRA_MODULES=/usr/lib/x86_64-linux-gnu/gio/modules/
export SOUP_DEBUG=all
Network filtering
allBlock or rate-limit HTTP/2 traffic to vulnerable applications
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Use web application firewalls to filter HTTP/2 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check libsoup version: dpkg -l | grep libsoup or rpm -qa | grep libsoupCheck Version:
libsoup-3.0 --version || dpkg -l | grep libsoup || rpm -qa | grep libsoupVerify Fix Applied:
Verify libsoup version is 3.4.6 or higher: libsoup-3.0 --version📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Unexpected termination of GNOME/WebKit applications
- Memory corruption errors in system logs
Network Indicators:
- Rapid HTTP/2 request/cancel sequences
- Abnormal HTTP/2 traffic patterns
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "use-after-free" OR "libsoup")