CVE-2025-32907 - Vulnerability Details

- Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header

Description

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.

Published: 2025-04-14

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 3.6.5

Red Hat

Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:3.6.5-3.el10_0.6`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:2.8-3.el8_10.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:8.10-1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:2.72.0-10.el9_6.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:2.72.0-8.el9_0.4`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.2 Extended Update Support

affected

Version	Status	Constraints
`0:2.72.0-8.el9_2.4`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.4 Extended Update Support

affected

Version	Status	Constraints
`0:2.72.0-8.el9_4.4`	unaffected	< *

Red Hat Red Hat Enterprise Linux 6 unknown —

Red Hat Red Hat Enterprise Linux 7 unknown —

Red Hat Red Hat Enterprise Linux 8 unaffected —

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
libsoup3-0:3.6.5-3.el10_0.6	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:8128	2025-05-26T00:00:00Z
Red Hat Enterprise Linux 8
mingw-freetype-0:2.8-3.el8_10.1	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8292	2025-05-29T00:00:00Z
spice-client-win-0:8.10-1	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8292	2025-05-29T00:00:00Z
Red Hat Enterprise Linux 9
libsoup-0:2.72.0-10.el9_6.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7436	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
libsoup-0:2.72.0-8.el9_0.4	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:4439	2025-05-05T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
libsoup-0:2.72.0-8.el9_2.4	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:4508	2025-05-06T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
libsoup-0:2.72.0-8.el9_4.4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:4440	2025-05-05T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Currently, no mitigation was found for this vulnerability.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4140-1	libsoup2.4 security update
EUVD	EUVD-2025-10900	A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
Ubuntu USN	USN-7643-1	libsoup vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00989.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:4439
https://access.redhat.com/errata/RHSA-2025:4440
https://access.redhat.com/errata/RHSA-2025:4508
https://access.redhat.com/errata/RHSA-2025:7436
https://access.redhat.com/errata/RHSA-2025:8128
https://access.redhat.com/errata/RHSA-2025:8292
https://access.redhat.com/security/cve/CVE-2025-32907
https://bugzilla.redhat.com/show_bug.cgi?id=2359342
https://nvd.nist.gov/vuln/detail/CVE-2025-32907
https://www.cve.org/CVERecord?id=CVE-2025-32907

History

Thu, 29 May 2025 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Thu, 29 May 2025 07:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb
References		https://access.redhat.com/errata/RHSA-2025:8292

Mon, 26 May 2025 12:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~	cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:8128

Wed, 21 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10

Wed, 14 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9

Tue, 13 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2025:7436

Wed, 07 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.2

Tue, 06 May 2025 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.2::appstream
References		https://access.redhat.com/errata/RHSA-2025:4508

Mon, 05 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.4

Mon, 05 May 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.4::appstream
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:4440

Mon, 05 May 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
Vendors & Products		Redhat rhel E4s
References		https://access.redhat.com/errata/RHSA-2025:4439

Tue, 29 Apr 2025 06:45:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Important`	threat_severity `Moderate`

Mon, 28 Apr 2025 10:45:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory.	A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Tue, 15 Apr 2025 02:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-32907 https://www.cve.org/CVERecord?id=CVE-2025-32907
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 14 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory.
Title		Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-1050
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-32907 https://bugzilla.redhat.com/show_bug.cgi?id=2359342
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Redhat Enterprise Linux Rhel E4s Rhel Eus

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-04-14T14:00:09.723Z

Updated: 2025-11-18T08:35:33.088Z

Reserved: 2025-04-14T01:37:48.152Z

Link: CVE-2025-32907

Vulnrichment

Updated: 2025-04-14T14:13:25.294Z

NVD

Status : Awaiting Analysis

Published: 2025-04-14T14:15:24.580

Modified: 2025-05-29T07:15:24.333

Link: CVE-2025-32907

Redhat

Severity : Moderate

Publid Date: 2025-04-14T00:00:00Z

Links: CVE-2025-32907 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-1050

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object