CVE CyberSecurity Database News

CVE-2025-32914 - Out-of-Bounds Read in libsoup Allows Malicious HTTP Clients to Crash Servers

Poster -

Date: June 2024
CVE: CVE-2025-32914
Component: libsoup
Severity: Medium

What is libsoup?

libsoup is a popular HTTP client/server library for GNOME, often used in Linux-based software to handle web requests. Many desktop applications, IoT devices, and embedded systems use it either directly or through other software.

The Flaw: Out-of-Bounds Read (CVE-2025-32914)

A bug was discovered in the function soup_multipart_new_from_message() within libsoup. This function is used to parse HTTP messages that contain multipart data, such as file uploads. The vulnerability is an out-of-bounds read, meaning a malicious client can send a specially crafted message to the server to make it read memory it shouldn’t access.

Summary:

The Vulnerable Function

Here’s a simplified and relevant piece of C code sketching how this problem might happen (for learning purpose only):

SoupMultipart *
soup_multipart_new_from_message (SoupMessage *msg)
{
    // ...
    char *boundary = extract_boundary_from_header(msg);
    char *body = get_body_pointer(msg);
    size_t length = get_body_length(msg);

    char *part_start = strstr(body, boundary);        // Find start of part
    if (part_start) {
        char *part_end = strstr(part_start, boundary); // Search for next boundary
        size_t part_len = part_end - part_start;
        // BAD: Does not ensure part_end is in buffer bounds!
        process_part(part_start, part_len);
    }
    // ...
}

What goes wrong:
If a client crafts the message without a proper end boundary, part_end becomes NULL. Subtracting pointers (part_end - part_start) results in a huge size or negative value (due to pointer math), causing an out-of-bounds read in process_part.

The attacker connects to a server using libsoup.

- Sends a POST request with a Content-Type: multipart/form-data header.

Malicious Request Example

POST /upload HTTP/1.1
Host: victim-server
Content-Type: multipart/form-data; boundary=----BOUNDARY
Content-Length: <very large or mismatched>

------BOUNDARY
Content-Disposition: form-data; name="file"; filename="x.txt"
Content-Type: text/plain

This is test data
------BOUNDARY
<missing actual end boundary>

Result: The server tries to find the end boundary and fails, reading past the buffer.

- Impact: The server process will likely crash, causing denial-of-service. In rare cases, if server error responses expose memory, a small amount of unintended data might leak.

Who is Affected?

- Any project using libsoup as an HTTP server and parsing multipart requests via soup_multipart_new_from_message().

Mitigation & Update

Immediate Mitigation:
- *Filter:* Block suspicious multipart requests from untrusted clients, especially from Internet-facing services.

*Proxy:* Place a web proxy in front of the server to validate multipart boundaries.

Patch & Upgrade:
- libsoup upstream patch link (GNOME Gitlab)
- Red Hat Security Advisory

Update your libsoup libraries as soon as the fix is released for your distribution.

References

- NVD: CVE-2025-32914
- libsoup GitLab Issue
- GNOME Security Team Advisory

Final Thoughts

This vulnerability is not remotely exploitable for code execution, but it can be abused to crash a server that accepts file uploads via HTTP. This is a good reminder to always validate external input, especially when parsing complex data formats like multipart forms.

Review your code, update your packages, and protect your applications!

*This article was written exclusively for educational purposes. Use responsibly. For questions or feedback, contact your OS security team.*

Timeline

Published on: 04/14/2025 15:15:25 UTC
Last modified on: 04/15/2025 18:39:27 UTC