vulnerability
Red Hat: CVE-2025-4035: libsoup: Cookie domain validation bypass via uppercase characters in libsoup (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Apr 29, 2025 | Jul 9, 2025 | Jan 27, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Apr 29, 2025
Added
Jul 9, 2025
Modified
Jan 27, 2026
Description
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
Solutions
no-fix-redhat-rpm-packageredhat-upgrade-libsoup3redhat-upgrade-libsoup3-debuginforedhat-upgrade-libsoup3-debugsourceredhat-upgrade-libsoup3-develredhat-upgrade-libsoup3-doc
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.