CVE-2025-9901: Libsoup: improper handling of http vary header in libsoup caching
A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.
Security readout for executives and security teams
Plain-English summary
Libsoup can reuse a cached web response when it should keep responses separate by request headers. In shared or proxy-like use, one user could receive content meant for another request, creating a confidentiality risk. The sources say everyday desktop use is unlikely to be affected.
Executive priority
Handle as a targeted confidentiality risk, not a broad emergency. Prioritize internet-facing, proxy-like, or multi-user services using libsoup caching before ordinary desktop fleets.
Technical view
SoupCache ignores the HTTP Vary header when evaluating cached responses. Vary should distinguish cached objects by headers such as language or authentication. The reported impact is confidentiality exposure only, with CVSS 3.1 score 5.9 and CWE-524 classification.
Likely exposure
Most relevant exposure is RHEL systems running applications or services that use libsoup or libsoup3 SoupCache in proxy, shared-cache, or multi-user contexts. Red Hat lists RHEL 7, 8, 9, and 10 as affected; RHEL 6 status is unknown.
Exploitation context
The bundle does not show KEV listing or active exploitation. Practical abuse appears context-dependent and higher-complexity, requiring cache reuse across requests where headers should produce separate responses, especially around authentication or other sensitive variations.
Researcher notes
Evidence supports the root cause and affected Red Hat product families, but not exploit activity or fixed versions. Validation should focus on whether SoupCache is used where Vary separates sensitive responses.
Mitigation direction
Check Red Hat and GNOME guidance for fixed package availability.
Prioritize RHEL 7, 8, 9, and 10 systems using libsoup caching.
Avoid shared SoupCache use for authenticated or user-specific responses.
Segregate caches per user, tenant, or security context where possible.
Treat RHEL 6 exposure as unknown until vendor guidance clarifies status.
Validation and detection
Inventory installed libsoup and libsoup3 packages on RHEL systems.
Identify applications or services that enable SoupCache.
Check whether caches are shared across users, sessions, or tenants.
Review whether cached responses vary by Authorization, Cookie, or language headers.
Track Red Hat advisory status for fixed builds or backports.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-524: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-524 · source CWE mapping
Use of Cache Containing Sensitive Information
Use of Cache Containing Sensitive Information represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.