CVE-2025-4476: 
CBL Mariner vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2025-4476) was identified in the libsoup HTTP client library, discovered and disclosed on May 8, 2025. The vulnerability affects various versions of libsoup, including libsoup3 in Debian bookworm (3.2.2-2) and trixie/sid (3.6.5-1) distributions. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) and is classified as a NULL Pointer Dereference (CWE-476) (Wiz Report, NVD).

The vulnerability occurs in the soup_auth_digest_get_protection_space() function when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header leads to a NULL pointer dereference, which results in a crash of the client application using libsoup (Red Hat XML, Debian Tracker).

The vulnerability results in a denial-of-service condition affecting only the specific client instance actively communicating with the malicious service. The impact is limited to crashing the client application, without causing widespread system-level repercussions. Red Hat has assessed the severity as Low due to the limited scope of impact and the requirement for user interaction (Red Hat XML).

Red Hat strongly advises against connecting client applications relying on the libsoup library to untrusted HTTP servers until systems can be updated to a version of libsoup that includes the fix. A fix has been developed and is available through commit e64c221f9c7d09b48b610c5626b3b8c400f0907c (Debian Tracker, Red Hat XML).