VIR Vulnerability Intelligence Relay

CVE-2025-9901

medium
Published 2025-09-03 Β· Modified 2026-05-06
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
5.9

Description

A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Predictions

Exploit likelihood
69%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β€” if you've already worked around this in production β€” publish your fix to the community-verified tier.

✚ Propose a mitigation on Community β†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
debian Debian Affected 5 releases
VersionStatusFixed in
trixie Affected β€”
sid Affected β€”
forky Affected β€”
bullseye Affected β€”
bookworm Affected β€”
suse SUSE Affected 1 release
VersionStatusFixed in
β€” Affected β€”

References

CWEs

CWE-524

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.