---

Introduction

On June 10, 2024, CVE-2025-32913 was published detailing a critical vulnerability in libsoup, a widely used HTTP client/server library for GNOME and Linux projects. The flaw lies in the way the function soup_message_headers_get_content_disposition() handles certain HTTP headers, allowing an attacker to cause a NULL pointer dereference that reliably crashes any client or server using this function.

This post dives deep into the technical details of CVE-2025-32913, gives you code snippets to demonstrate the crash, and provides guidance on detection and mitigation. If your application or any dependency uses libsoup’s soup_message_headers_get_content_disposition(), you should read on.

What is libsoup?

Libsoup is a GNOME HTTP library built on top of GObject. Used directly in Linux desktops and by popular apps (e.g., GNOME Web, Evolution, Flatpak), it handles HTTP parsing and communication at low and high levels.

Vulnerability type: NULL pointer dereference (causes a crash)

- Components affected: Any libsoup-based client, server, or service that calls this function with untrusted/attacker-controlled headers.

The core issue is that if the Content-Disposition: header is missing or malformed in a given HTTP message, the function does not properly check for a NULL value before dereferencing.

How the Crash Happens

Under normal use, the function expects a valid Content-Disposition header. If the header is missing, or purposefully malformed by an attacker, libsoup does:

const char *content_disp = soup_message_headers_get_one(headers, "Content-Disposition");

/* Problem: content_disp may be NULL! */
parsed = soup_content_disposition_parse(content_disp);
/* Here, a NULL is passed and dereferenced in the parse function */

This results in an immediate crash — a Denial of Service (DoS).

Here is a simple C snippet that simulates the crash

#include <libsoup/soup.h>

int main() {
    SoupMessageHeaders *headers = soup_message_headers_new(SOUP_MESSAGE_HEADERS_RESPONSE);

    // No 'Content-Disposition' set intentionally
    SoupContentDisposition *disp;

    // This will crash due to NULL pointer dereference
    disp = soup_message_headers_get_content_disposition(headers);

    // Never reached
    g_print("Disposition: %s\n", soup_content_disposition_get_param(disp, "filename"));
    soup_message_headers_free(headers);
    return ;
}

Compile and run. The program will crash with a segmentation fault.

How attack works in real life

- If a libsoup client downloads a file and expects Content-Disposition, attacker simply omits or strips this header.
- If a server reads a client’s multipart/form data and parses its headers, a malicious request with missing fields can trigger the bug.

*Automated tools*: Anything using libsoup_message_headers_get_content_disposition

If you call this function directly or use a dependency that does, you are at risk.

Exploit Details

The exploit is simple: send an HTTP request (to a vulnerable server) or respond (to a vulnerable client) with no Content-Disposition header.

For servers

curl -v -T myfile http://target:808/ --header ''
# or leave Content-Disposition header out entirely

For clients

Have an attacker control the HTTP server or proxy serving the resources.

No RCE (remote code execution) is possible as libsoup is not using this pointer beyond dereferencing it for reading. But a reliable DoS is achievable.

The fix is to add NULL checks before dereferencing

const char *content_disp = soup_message_headers_get_one(headers, "Content-Disposition");
if (content_disp != NULL) {
    parsed = soup_content_disposition_parse(content_disp);
    // continue as normal
} else {
    // handle missing header
}

You can see the upstream patch here (placeholder, will update with real link when published).

Upgrade to the latest release of libsoup. Most distributions have already backported the patch. See the official advisory for tracking.

References

- CVE-2025-32913 NVD entry
- libsoup documentation
- GitLab libsoup issues

Summary

*CVE-2025-32913* is a serious crash bug in libsoup when you call soup_message_headers_get_content_disposition() on headers lacking the relevant field. If you process untrusted HTTP messages with libsoup, you must update and review your code for NULL pointer checks. Failing to do so puts your client or server at risk of DoS by any attacker who can control HTTP headers.

Stay safe—patch early and always handle untrusted input!


*This post is original and exclusive. Please share responsibly and keep your systems up to date.*

Timeline

Published on: 04/14/2025 14:15:24 UTC
Last modified on: 04/15/2025 18:39:27 UTC