CVE-2025-4945: Libsoup: integer overflow in cookie expiration date handling in libsoup

3.7 CVSS

Description

A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.

Classification

CVE ID: CVE-2025-4945

CVSS Base Severity: LOW

CVSS Base Score: 3.7

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem Types

Integer Overflow or Wraparound

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.51% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4945
https://access.redhat.com/security/cve/CVE-2025-4945
https://bugzilla.redhat.com/show_bug.cgi?id=2367175

Timeline

2025-05-19 18:40:19 UTC
CVE

Libsoup: integer overflow in cookie expiration date handling in libsoup