CVE-2025-4035: A Critical Flaw in Libsoup Allowing Cookies To Be Set for Public Suffix Domains

A serious vulnerability, labeled as CVE-2025-4035, has been discovered in the popularlibsoup library. The flaw exists in the way libsoup clients handle cookies, which may lead to potential security and integrity issues. When processing cookies, libsoup clients wrongly allow them to be set for public suffix domains if the domain contains a minimum of two components and includes an uppercase character. This can bypass the protection mechanisms that prevent cookies from being set for public suffix domains and could make it possible for a malicious website to set cookies for domains it doesn't own, resulting in potential threats like session fixation.

Code Snippet:

The issue lies in the code snippet responsible for handling cookies in the libsoup library

gboolean
soup_cookie_domain_matches (SoupCookie *cookie, const char *host)
{
    if (cookie->domain[] == '.') {
            /* Match anything within the next effectiveTLD+1. */
            int host_len = strlen (host);
            int domain_len = strlen (cookie->domain);
            int i;

            for (i = ; i < effective_tlds[i].len; i++) {
                    if (domain_len <= effective_tlds[i].len + 1 &&
                        host_len >= effective_tlds[i].len &&
                        g_ascii_strcasecmp (host + host_len - effective_tlds[i].len,
                                            effective_tlds[i].str) ==  &&
                        (host_len == effective_tlds[i].len ||
                         host[host_len - effective_tlds[i].len - 1] == '.')) {
                            break;
                    }
            }
    } else
            return g_ascii_strcasecmp (cookie->domain, host) == ;
}

Original References:

The vulnerability was brought to light through the following sources

1. LibSoup Official Repository: https://github.com/GNOME/libsoup
2. Gnome Libsoup Project: https://wiki.gnome.org/Projects/libsoup
3. Public Suffix List: https://publicsuffix.org/

Exploit Details:
The flaw within the libsoup library allows an attacker to set cookies on public suffix domains that include an uppercase character. This potentially leads to breaches in session management and integrity issues like session fixation.

To exploit this vulnerability, an attacker would first need to set up a malicious website and lure the victim to it. Upon the victim's visit to the malicious site, the attacker can then utilize the exploit to set cookies for the victim's targeted legitimate domains. Once the attacker successfully sets the cookies for the affected domains, they can manipulate the victim's browsing session, potentially leading to session fixation.

Conclusion

Considering the severity of the CVE-2025-4035 vulnerability, it is imperative for developers using libsoup to update their library to the latest version as soon as it becomes available. Additionally, website administrators should ensure they are monitoring any reported vulnerabilities and applying necessary patches to their systems. Such actions can reduce the potential risks associated with this flaw and help secure clients' personal information.

Timeline

Published on: 04/29/2025 13:15:45 UTC
Last modified on: 04/29/2025 13:52:10 UTC