VIR Vulnerability Intelligence Relay

CVE-2025-9901

medium
Published 2025-09-03 · Modified 2026-05-06
CVSS v3
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
VIR risk
5.9

Description

A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Predictions

Exploit likelihood
69%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

OS impact
OSVersionStatusFixed in
debian debianforkyaffected
debian debiansidaffected
debian debianbookwormaffected
debian debianbullseyeaffected
debian debiantrixieaffected
suse slesaffected

References

CWEs

CWE-524

💬 Discuss CVE-2025-9901 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.