CVE-2025-9901: 
Linux Debian vulnerability analysis and mitigation

A flaw was found in libsoup's caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This vulnerability, identified as CVE-2025-9901, affects the SoupCache implementation of the libsoup HTTP library. The issue was disclosed on September 3, 2025, and impacts systems where libsoup's caching functionality is explicitly enabled (NVD, Red Hat Bugzilla).

The vulnerability stems from an implementation flaw in the soupcachehas_response() function where the HTTP Vary header validation is not properly implemented. This header is designed to ensure that responses vary appropriately based on request headers such as language or authentication. The vulnerability has been assigned CWE-524 (Use of Cache Containing Sensitive Information) and has received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability can lead to cached content being incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in significant confidentiality breaches in proxy or multi-user environments. The primary risk is the potential disclosure of highly sensitive or user-specific content to unintended recipients (Red Hat Bugzilla).