CVE-2025-32907

Description

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.

Reserved 2025-04-14 | Published 2025-04-14 | Updated 2025-05-29 | Assigner redhat

Problem types

Excessive Platform Resource Consumption within a Loop

Product status

Default status
unaffected

Any version before 3.6.5
affected

Default status
affected

0:3.6.5-3.el10_0.6 before *
unaffected

Default status
affected

0:2.8-3.el8_10.1 before *
unaffected

Default status
affected

0:8.10-1 before *
unaffected

Default status
affected

0:2.72.0-10.el9_6.1 before *
unaffected

Default status
affected

0:2.72.0-8.el9_0.4 before *
unaffected

Default status
affected

0:2.72.0-8.el9_2.4 before *
unaffected

Default status
affected

0:2.72.0-8.el9_4.4 before *
unaffected

Default status
unknown

Default status
unknown

Default status
unaffected

Timeline

2025-04-14:	Reported to Red Hat.
2025-04-14:	Made public.

References

access.redhat.com/errata/RHSA-2025:4439 (RHSA-2025:4439) vendor-advisory

access.redhat.com/errata/RHSA-2025:4440 (RHSA-2025:4440) vendor-advisory

access.redhat.com/errata/RHSA-2025:4508 (RHSA-2025:4508) vendor-advisory

access.redhat.com/errata/RHSA-2025:7436 (RHSA-2025:7436) vendor-advisory

access.redhat.com/errata/RHSA-2025:8128 (RHSA-2025:8128) vendor-advisory

access.redhat.com/errata/RHSA-2025:8292 (RHSA-2025:8292) vendor-advisory

access.redhat.com/security/cve/CVE-2025-32907 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2359342 (RHBZ#2359342) issue-tracking

cve.org (CVE-2025-32907)

nvd.nist.gov (CVE-2025-32907)

Download JSON