Bug#1104414: libsoup3: CVE-2025-4035: public suffix protection bypass via non-canonicalized domains
Simon McVittie
smcv at debian.org
Fri Jul 11 22:46:23 BST 2025
Control: retitle -1 libsoup3: CVE-2025-4035: public suffix protection bypass via non-canonicalized domains
On Tue, 29 Apr 2025 at 21:56:42 +0200, Salvatore Bonaccorso wrote:
>The following vulnerability was published for libsoup.
>
>CVE-2025-4035[0]:
>| A flaw was found in libsoup. When handling cookies, libsoup clients
>| mistakenly allow cookies to be set for public suffix domains if the
>| domain contains at least two components and includes an uppercase
>| character. This bypasses public suffix protections and could allow a
>| malicious website to set cookies for domains it does not own,
>| potentially leading to integrity issues such as session fixation.
A fix is being developed on
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/448 but it
doesn't seem to be quite there yet. I'm sure upstream would appreciate
help if someone can provide it, but I don't have relevant expertise.
smcv
More information about the pkg-gnome-maintainers
mailing list