CVE-2025-2784: 
NixOS vulnerability analysis and mitigation

A flaw was discovered in libsoup, identified as CVE-2025-2784. The vulnerability was found in the content sniffer's skipinsignificantwhitespace() function, affecting libsoup versions prior to 3.6.5. The issue was disclosed on April 2, 2025, and affects various versions of the libsoup package, including both libsoup2.4 and libsoup3 (NVD, Ubuntu).

The vulnerability is classified as a heap buffer over-read vulnerability in the content sniffer's skipinsignificantwhitespace() function. The CVSS v3.1 base score is 7.0 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H. The vulnerability is tracked under CWE-125 (Out-of-bounds Read) (NVD, Red Hat).

When exploited, this vulnerability allows libsoup clients to read one byte out-of-bounds in response to a crafted HTTP response sent by an HTTP server. This could potentially lead to information disclosure and system instability (Red Hat, Ubuntu).

Fixed versions have been released for various distributions. Ubuntu has released fixes for versions 24.10, 24.04 LTS, 22.04 LTS, and 20.04 LTS. For libsoup3, the fixes are available in versions 3.6.0-2ubuntu0.2, 3.4.4-5ubuntu0.2, and 3.0.7-0ubuntu1+esm2. The upstream fix is available in libsoup version 3.6.5 (Ubuntu).