CVE-2025-9901
📋 TL;DR
A vulnerability in libsoup's SoupCache ignores the HTTP Vary header when evaluating cached responses, allowing cached content to be incorrectly reused across different requests. This can expose sensitive user information like authentication tokens or language-specific content. The issue primarily affects proxy servers or multi-user environments using libsoup for HTTP caching.
💻 Affected Systems
- libsoup
- applications using libsoup for HTTP caching
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive user data (authentication tokens, personal information) cached for one user is served to another user, leading to account compromise or data leakage.
Likely Case
Users receive incorrect cached content (wrong language, user-specific data) but without direct authentication bypass.
If Mitigated
Limited impact with proper cache isolation and monitoring; primarily affects multi-tenant proxy environments.
🎯 Exploit Status
Exploitation requires specific cache poisoning scenarios and depends on application behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check distribution-specific updates (e.g., libsoup 2.74.3 or later for some distributions)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-9901
Restart Required: No
Instructions:
1. Check your distribution's security advisories. 2. Update libsoup package via package manager (e.g., 'sudo apt update && sudo apt upgrade libsoup*' for Debian/Ubuntu). 3. Restart affected services if they dynamically link to libsoup.
🔧 Temporary Workarounds
Disable SoupCache
allDisable HTTP caching in libsoup to prevent the vulnerability from being exploited.
Set environment variable: export SOUP_DISABLE_CACHE=1
Or configure application to not use SoupCache
🧯 If You Can't Patch
- Isolate cache storage per user or session to prevent cross-user data leakage.
- Implement additional application-layer validation to ensure cached responses match request headers.
🔍 How to Verify
Check if Vulnerable:
Check libsoup version: 'pkg-config --modversion libsoup-2.4' and compare with patched version for your distribution.Check Version:
pkg-config --modversion libsoup-2.4Verify Fix Applied:
Verify updated version: 'pkg-config --modversion libsoup-2.4' shows patched version (e.g., 2.74.3 or higher).📡 Detection & Monitoring
Log Indicators:
- Unexpected cache hits for varied requests
- User complaints about receiving wrong cached content
Network Indicators:
- HTTP responses with mismatched Vary headers in cache hits
SIEM Query:
Search for logs indicating cache poisoning or user session mismatches in applications using libsoup.