CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-52531: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There...

6.5 CVSS

Description

GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response).

Classification

CVE ID: CVE-2024-52531

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Problem Types

CWE-787 Out-of-bounds Write

Affected Products

Vendor: GNOME

Product: libsoup

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 27.93% (scored less or equal to compared to others)

EPSS Date: 2025-04-23 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-52531
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407#note_2316401
https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html

Timeline

2025-02-07 09:45:54 UTC
Tenable Plugins

RHEL 7 : libsoup (RHSA-2025:1047)
2025-02-07 09:46:13 UTC
Tenable Plugins

RHEL 8 : libsoup (RHSA-2025:1075)
2025-03-25 18:40:13 UTC
CVE

GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There...