2421349 – (CVE-2025-14523) CVE-2025-14523 libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

Bug 2421349 (CVE-2025-14523) - CVE-2025-14523 libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

Summary: CVE-2025-14523 libsoup: libsoup: Duplicate Host Header Handling Causes Host-P...

Keywords:
Status:	NEW
Alias:	CVE-2025-14523
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2421351 2421352 2421353 2421354 2421355 2421356
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-11 07:35 UTC by OSIDB Bzimport
Modified:	2025-12-11 12:01 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-11 07:35:16 UTC

libsoup accepts duplicate Host: headers and implements a last-value-wins policy when soup_message_headers_get_one[_common] is used to construct the request URI, while many proxies and routers use the first Host: header for routing. The provided PoC reliably demonstrates that a proxy honoring the first Host: can route to backend A but the libsoup server will interpret the request as for host B (last header), enabling virtual-host confusion and potential bypasses of host-based ACLs or cache poisoning.

Note You need to log in before you can comment on or make changes to this bug.