CVE-2025-4945 - Vulnerability Details

A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat Subscribe	Enterprise Linux Subscribe Rhel Aus Subscribe Rhel E4s Subscribe Rhel Els Subscribe Rhel Eus Subscribe Rhel Eus Long Life Subscribe Rhel Tus Subscribe

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-16034	A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.
Ubuntu USN	USN-7643-1	libsoup vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

To mitigate the risk associated with this libsoup vulnerability, Red Hat recommends avoiding interactions between client applications using the libsoup library and untrusted or compromised HTTP servers until a patched version of libsoup is deployed. Users and administrators should monitor their systems for suspicious HTTP activity and apply vendor updates as soon as a fix becomes available to prevent manipulation of cookie expiration logic that could lead to unexpected behavior or policy circumvention.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:19713
https://access.redhat.com/errata/RHSA-2025:19714
https://access.redhat.com/errata/RHSA-2025:19720
https://access.redhat.com/errata/RHSA-2025:20959
https://access.redhat.com/errata/RHSA-2025:21032
https://access.redhat.com/errata/RHSA-2025:21655
https://access.redhat.com/errata/RHSA-2025:21656
https://access.redhat.com/errata/RHSA-2025:21657
https://access.redhat.com/errata/RHSA-2025:21664
https://access.redhat.com/errata/RHSA-2025:21665
https://access.redhat.com/errata/RHSA-2025:21666
https://access.redhat.com/errata/RHSA-2025:21772
https://access.redhat.com/errata/RHSA-2025:22013
https://access.redhat.com/security/cve/CVE-2025-4945
https://bugzilla.redhat.com/show_bug.cgi?id=2367175
https://nvd.nist.gov/vuln/detail/CVE-2025-4945
https://www.cve.org/CVERecord?id=CVE-2025-4945

History

Tue, 25 Nov 2025 05:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/o:redhat:rhel_aus:8.2::baseos
References		https://access.redhat.com/errata/RHSA-2025:22013

Wed, 19 Nov 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus Long Life
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Vendors & Products		Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2025:21772

Tue, 18 Nov 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/o:redhat:rhel_e4s:8.8::baseos
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:21665 https://access.redhat.com/errata/RHSA-2025:21666

Tue, 18 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos
Vendors & Products		Redhat rhel Aus Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:21664

Tue, 18 Nov 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s Redhat rhel Els
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~	cpe:/a:redhat:rhel_e4s:9.0::appstream cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel E4s Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2025:21655 https://access.redhat.com/errata/RHSA-2025:21656 https://access.redhat.com/errata/RHSA-2025:21657

Tue, 11 Nov 2025 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10.1
References		https://access.redhat.com/errata/RHSA-2025:20959 https://access.redhat.com/errata/RHSA-2025:21032

Tue, 04 Nov 2025 19:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:9	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:19713 https://access.redhat.com/errata/RHSA-2025:19720

Tue, 04 Nov 2025 16:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/o:redhat:enterprise_linux:8::baseos
References		https://access.redhat.com/errata/RHSA-2025:19714

Wed, 21 May 2025 17:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10

Tue, 20 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 May 2025 02:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-4945 https://www.cve.org/CVERecord?id=CVE-2025-4945
Metrics	threat_severity `None`	threat_severity `Low`

Mon, 19 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.
Title		Libsoup: integer overflow in cookie expiration date handling in libsoup
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-190
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-4945 https://bugzilla.redhat.com/show_bug.cgi?id=2367175
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-05-19T17:03:09.472Z

Updated: 2025-11-25T05:13:23.815Z

Reserved: 2025-05-19T04:46:20.918Z

Link: CVE-2025-4945

Vulnrichment

Updated: 2025-05-20T14:04:47.811Z

NVD

Status : Awaiting Analysis

Published: 2025-05-19T17:15:29.103

Modified: 2025-11-25T06:15:45.920

Link: CVE-2025-4945

Redhat

Severity : Low

Publid Date: 2025-05-19T00:00:00Z

Links: CVE-2025-4945 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-190

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object