← back
CVE-2025-32907

Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header

CVSS 5.3 MEDIUMEPSS 0.5%CWE-1050
In short

A flaw in libsoup's HTTP range request handling allows a malicious client to send overlapping range requests multiple times in a single HTTP request, causing the server to consume excessive memory and degrade performance.

Technical detail

The vulnerability exists in libsoup's range request parser, which does not properly limit the number or overlap of ranges processed in a single HTTP Range header. An unauthenticated remote attacker can craft a malicious HTTP request with many overlapping byte-range specifications to exhaust server memory resources, resulting in degraded service availability without complete denial of service.

Summary generated and translated by AI from the official description.
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
libsoupRed Hat · Red Hat Enterprise Linux 10Red Hat · Red Hat Enterprise Linux 6Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9Red Hat · Red Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat · Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat · Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat · Red Hat In-Vehicle Operating System 1

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2025:4439https://access.redhat.com/errata/RHSA-2025:4440https://access.redhat.com/errata/RHSA-2025:4508https://access.redhat.com/errata/RHSA-2025:7436https://access.redhat.com/errata/RHSA-2025:8128https://access.redhat.com/errata/RHSA-2025:8292https://access.redhat.com/security/cve/CVE-2025-32907https://bugzilla.redhat.com/show_bug.cgi?id=2359342