CVE-2025-46421: 
Alma Linux vulnerability analysis and mitigation

A security vulnerability (CVE-2025-46421) was discovered in libsoup, affecting versions prior to 3.6.5. The vulnerability was disclosed on April 24, 2025, and involves an authentication information disclosure issue when handling HTTP redirects. The flaw affects libsoup clients, which is a HTTP client/server library for GNOME applications (NVD, Red Hat Bugzilla).

The vulnerability occurs when libsoup clients encounter an HTTP redirect. The client mistakenly sends the HTTP Authorization header to the new host that the redirection points to, instead of properly managing the authentication credentials. This implementation flaw has been assigned a CVSS v3.1 Base Score of 6.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows the new host to impersonate the user to the original host that issued the redirect. This can lead to unauthorized access and potential credential theft, as the redirected host receives authentication credentials intended for the original host (NVD, Red Hat Bugzilla).

The vulnerability has been fixed in libsoup version 3.6.5. Users and organizations using affected versions of libsoup should upgrade to the patched version to prevent potential exploitation (Red Hat Bugzilla).