{"id":"CVE-2025-2784","details":"A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.","modified":"2026-04-16T04:39:07.104478474Z","published":"2025-04-03T03:15:18.113Z","related":["ALSA-2025:7505","ALSA-2025:8126","ALSA-2025:8132","SUSE-SU-2025:01503-1","SUSE-SU-2025:01504-1","SUSE-SU-2025:1503-1","SUSE-SU-2025:1504-1","SUSE-SU-2025:1509-1","SUSE-SU-2025:1510-1","SUSE-SU-2025:1518-1","SUSE-SU-2025:1519-1","SUSE-SU-2025:20375-1","SUSE-SU-2025:20446-1","openSUSE-SU-2025:15018-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8139"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8252"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8480"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8481"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:7505"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8482"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8126"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:9179"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8132"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8140"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:8663"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2025-2784"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2354669"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:21657"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/libsoup/-/issues/422"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/libsoup","events":[{"introduced":"0"},{"fixed":"766e17528251c9b696a6076300ac61adc95536ac"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.6.5"}]}}],"versions":["2.40.0","2.40.1","2.41.1","2.41.2","2.41.3","2.41.4","2.41.5","2.41.90","2.41.91","2.41.92","2.42.0","2.42.1","2.43.1","2.43.2","2.43.4","2.43.5","2.43.90","2.43.92","2.44.0","2.44.1","2.45.3","2.45.90","2.45.92","2.46.0","2.47.3","2.47.4","2.47.92","2.48.0","2.49.1","2.49.91","2.49.91.1","2.49.92","2.50.0","2.51.3","2.51.90","2.51.92","2.52.0","2.52.1","2.53.1","2.53.2","2.53.90","2.53.92","2.54.0","2.54.0.1","2.54.1","2.55.90","2.56.0","2.57.1","2.58.0","2.59.90","2.59.90.1","2.60.0","2.60.1","2.60.2","2.61.1","2.61.2","2.61.90","2.61.91","2.62.0","2.63.1","2.63.2","2.63.90","2.63.91","2.63.92","2.64.0","2.65.1","2.65.2","2.65.90","2.65.91","2.65.92","2.66.0","2.66.1","2.66.2","2.67.1","2.67.2","2.67.3","2.67.90","2.67.91","2.67.92","2.67.93","2.68.0","2.68.1","2.68.2","2.68.3","2.69.90","2.70.0","2.71.0","2.71.1","2.72.0","2.99.1","2.99.2","2.99.3","2.99.4","2.99.5","2.99.6","2.99.7","2.99.8","2.99.9","3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.1","3.1.2","3.1.3","3.1.4","3.2.0","3.3.0","3.3.1","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.5.1","3.5.2","3.6.0","3.6.1","3.6.2","3.6.3","3.6.4","LIBSOUP_1_99_15","LIBSOUP_1_99_16","LIBSOUP_1_99_17","LIBSOUP_1_99_19","LIBSOUP_1_99_20","LIBSOUP_1_99_22","LIBSOUP_1_99_23","LIBSOUP_1_99_24","LIBSOUP_1_99_25","LIBSOUP_2_1_10","LIBSOUP_2_1_11","LIBSOUP_2_1_12","LIBSOUP_2_1_13","LIBSOUP_2_1_2","LIBSOUP_2_1_3","LIBSOUP_2_1_4","LIBSOUP_2_1_5","LIBSOUP_2_1_6","LIBSOUP_2_1_7","LIBSOUP_2_1_8","LIBSOUP_2_1_9","LIBSOUP_2_23_1","LIBSOUP_2_23_6","LIBSOUP_2_23_91","LIBSOUP_2_23_92","LIBSOUP_2_24_0","LIBSOUP_2_25_1","LIBSOUP_2_25_2","LIBSOUP_2_25_4","LIBSOUP_2_25_5","LIBSOUP_2_25_91","LIBSOUP_2_26_0","LIBSOUP_2_26_0_9","LIBSOUP_2_26_1","LIBSOUP_2_27_1","LIBSOUP_2_27_2","LIBSOUP_2_27_4","LIBSOUP_2_27_5","LIBSOUP_2_27_90","LIBSOUP_2_27_91","LIBSOUP_2_27_92","LIBSOUP_2_28_0","LIBSOUP_2_28_1","LIBSOUP_2_29_3","LIBSOUP_2_29_5","LIBSOUP_2_29_6","LIBSOUP_2_29_90","LIBSOUP_2_29_91","LIBSOUP_2_2_0","LIBSOUP_2_2_100","LIBSOUP_2_2_101","LIBSOUP_2_2_102","LIBSOUP_2_2_103","LIBSOUP_2_2_5","LIBSOUP_2_2_6","LIBSOUP_2_2_6_1","LIBSOUP_2_2_90_NOT_A_REAL_RELEASE","LIBSOUP_2_2_91","LIBSOUP_2_2_92","LIBSOUP_2_2_93","LIBSOUP_2_2_94","LIBSOUP_2_2_95_1","LIBSOUP_2_2_96","LIBSOUP_2_2_97","LIBSOUP_2_2_98","LIBSOUP_2_2_99","LIBSOUP_2_30_0","LIBSOUP_2_31_6","LIBSOUP_2_31_90","LIBSOUP_2_31_92","LIBSOUP_2_32_0","LIBSOUP_2_32_1","LIBSOUP_2_32_2","LIBSOUP_2_33_4","LIBSOUP_2_33_5","LIBSOUP_2_33_6","LIBSOUP_2_33_90","LIBSOUP_2_33_92","LIBSOUP_2_34_0","LIBSOUP_2_34_1","LIBSOUP_2_35_3","LIBSOUP_2_35_4","LIBSOUP_2_35_90","LIBSOUP_2_35_92","LIBSOUP_2_36_0","LIBSOUP_2_37_1","LIBSOUP_2_37_2","LIBSOUP_2_37_3","LIBSOUP_2_37_4","LIBSOUP_2_37_5","LIBSOUP_2_37_90","LIBSOUP_2_37_91","LIBSOUP_2_37_92","LIBSOUP_2_38_0","LIBSOUP_2_38_1","LIBSOUP_2_39_1","LIBSOUP_2_39_2","LIBSOUP_2_39_3","LIBSOUP_2_39_4","LIBSOUP_2_39_4_1","LIBSOUP_2_39_5","LIBSOUP_2_39_90","LIBSOUP_2_39_91","LIBSOUP_2_39_92","LIBSOUP_2_3_0_1","LIBSOUP_2_3_2","LIBSOUP_2_3_4","LIBSOUP_2_40_0","LIBSOUP_2_40_1","LIBSOUP_2_41_1","LIBSOUP_2_41_2","LIBSOUP_2_41_3","LIBSOUP_2_41_4","LIBSOUP_2_41_5","LIBSOUP_2_41_90","LIBSOUP_2_41_91","LIBSOUP_2_41_92","LIBSOUP_2_42_0","LIBSOUP_2_42_1","LIBSOUP_2_43_1","LIBSOUP_2_43_2","LIBSOUP_2_43_4","LIBSOUP_2_43_5","LIBSOUP_2_43_90","LIBSOUP_2_43_92","LIBSOUP_2_4_0","LIBSOUP_2_4_1","SOUP_0_4","SOUP_0_4_1","SOUP_0_5","SOUP_0_6_0","SOUP_2_2_100","gnome-2-12-base","libsoup-2-0-branch-base","libsoup-hacking-branch-base","libsoup-pre214-branch-base"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2784.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}