CVE-2025-4035

MEDIUM

Libsoup - Info Disclosure

Title source: llm

Description

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

References (3)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:8128

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-4035

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2362651

Scores

CVSS v3 4.3

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-178

Status published

Products (5)

Red Hat/Red Hat Enterprise Linux 10 0:3.6.5-3.el10_0.6

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Published Apr 29, 2025

Tracked Since Feb 18, 2026