CVE-2025-46421
Public on 2025-04-24
Modified on 2025-04-30
Description
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | libsoup | No Fix Planned | ||
| Amazon Linux 2 - Core | libsoup | Pending Fix | ||
| Amazon Linux 2023 | libsoup | Pending Fix | ||
| Amazon Linux 2023 | libsoup3 | 2025-04-29 | ALAS2023-2025-941 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| NVD | CVSSv3 | 6.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |