VDB
DEBIAN-CVE-2025-4035
DEBIAN-CVE-2025-4035
PUBLISHED
CVSS 4.300000190734863 MEDIUM
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
Risk Scores
CVSS v3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | libsoup3 | 3.4.4-5, 3.6.5-7, 3.6.5-8 |
| Debian:13 | libsoup2.4 | 0, 2.74.3-10.1, 2.74.3-11 |
| Debian:14 | libsoup3 | 3.6.5-5, 3.6.6-1, 3.6.5-9 |
| Debian:11 | libsoup2.4 | 2.74.3-9, 2.72.0-2, 2.72.0-2+deb11u1 |
| Debian:13 | libsoup3 | 0, 3.6.5-3, 3.6.5-4 |
| Debian:12 | libsoup2.4 | 2.74.3-9, *, 2.74.3-3 |
Timeline
- Apr 29, 2025 CVE Published
- Apr 28, 2026 CVE Updated