An update for libsoup is now available for Red Hat Enterprise Linux 8.2
 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of
 Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libsoup packages provide an HTTP client and server library for GNOME.

Security Fix(es):

* libsoup: Out of bounds reads in soup_headers_parse_request() (CVE-2025-32906)

* libsoup: Double free on  soup_message_headers_get_content_disposition()
 through  "soup-message-headers.c" via "params" GHashTable value (CVE-2025-32911)

* libsoup: NULL pointer dereference in 
 soup_message_headers_get_content_disposition when "filename" parameter  is present, but has no value in Content-Disposition header (CVE-2025-32913)

* libsoup: Information disclosure may leads libsoup client sends Authorization
 header to a different host when being redirected by a server (CVE-2025-46421)

* libsoup: Memory leak on soup_header_parse_quality_list() via soup-headers.c
 (CVE-2025-46420)

For more details about the security issue(s), including the impact, a CVSS
 score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-32906: Out-of-bounds Read (CWE-125)
CVE-2025-32911: Free of Memory not on the Heap (CWE-590)
CVE-2025-32913: NULL Pointer Dereference (CWE-476)
CVE-2025-46420: Missing Release of Memory after Effective Lifetime (CWE-401)
CVE-2025-46421: Exposure of Sensitive System Information to an Unauthorized
 Control Sphere (CWE-497)