CVE-2025-2784

HIGH

Gnome Libsoup < 3.6.5 - Out-of-Bounds Read

Title source: rule

Description

A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

References (16)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:21657

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:7505

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8126

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8132

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8139

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8140

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8252

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8480

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8481

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8482

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:8663

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:9179

[Third Party Advisory] https://access.redhat.com/security/cve/CVE-2025-2784

[Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2354669

[Exploit, Issue Tracking] https://gitlab.gnome.org/GNOME/libsoup/-/issues/422

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html

Scores

CVSS v3 7.0

EPSS 0.0215

EPSS Percentile 84.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Classification

CWE

CWE-125

Status published

Affected Products (50)

gnome/libsoup < 3.6.5

redhat/codeready_linux_builder

redhat/codeready_linux_builder_for_arm64

redhat/codeready_linux_builder_for_arm64_eus

redhat/codeready_linux_builder_for_ibm_z_systems

redhat/codeready_linux_builder_for_ibm_z_systems_eus

redhat/codeready_linux_builder_for_power_little_endian

redhat/codeready_linux_builder_for_power_little_endian_eus

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux_eus

redhat/enterprise_linux_eus

redhat/enterprise_linux_eus

redhat/enterprise_linux_eus

... and 35 more

Timeline

Published Apr 03, 2025

Tracked Since Feb 18, 2026