Bug 2424652 (CVE-2025-66286)

Summary: CVE-2025-66286 webkitgtk: Authorization bypass through WebPage::send-request signal handler
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2461113, 2461114, 2461115, 2461116    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-23 17:47:45 UTC 
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the
WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler. Additionally, WebKit may create network connections that do not correspond to HTTP requests, such as for rel="preconnect". When WebKit is used by an email client, these flaws may be abused to allow the sender of an email to inappropriately detect that the email has been viewed by the recipient.

Affected versions: all versions of WebKitGTK and WPE WebKit

Credit to: Albrecht Dreß