libsoup Cookie Public Suffix Domain Bypass (CVE-2025-4035)
CVE-2025-4035 Published on April 29, 2025

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-4035 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Improper Handling of Case Sensitivity

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.


Products Associated with CVE-2025-4035

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-4035 are published in these products:

GNOME Libsoup
 
Red Hat Enterprise Linux (RHEL)
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9:

Exploit Probability

EPSS
0.03%
Percentile
7.21%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.