CVE-2025-14523 is a vulnerability discovered in the HTTP header processing logic of libsoup, a GNOME HTTP client/server library used in Red Hat Enterprise Linux 10. The issue arises from the handling of multiple Host headers in a single HTTP request. Specifically, the backend server processes the last Host header, while common front proxies honor the first Host header. This inconsistency leads to virtual host (vhost) confusion, where the proxy routes the request to one backend host, but the backend interprets it as destined for another. This mismatch can be exploited to conduct HTTP request smuggling attacks, where an attacker crafts requests that bypass security controls or poison caches by exploiting the differing interpretations of the Host header. The vulnerability does not require authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. The CVSS 3.1 score of 8.2 reflects the high impact on integrity and moderate impact on confidentiality, with no impact on availability. Although no exploits are known in the wild yet, the potential for cache poisoning and access control bypass poses a significant risk to systems relying on this software stack. The vulnerability affects Red Hat Enterprise Linux 10 installations that use libsoup in environments with front proxies, such as reverse proxies or load balancers, which are common in enterprise deployments. The root cause is the inconsistent HTTP Host header parsing between proxy and backend, a classic HTTP request smuggling scenario that can be leveraged to bypass security controls or poison caches, potentially leading to data leakage or unauthorized access.

For European organizations, this vulnerability poses a significant risk, especially for those deploying Red Hat Enterprise Linux 10 in web-facing environments with front proxies or load balancers. The ability to smuggle HTTP requests can lead to cache poisoning, allowing attackers to serve malicious content to users or bypass host-based access controls, potentially exposing sensitive data or enabling unauthorized actions. This can compromise the confidentiality and integrity of web applications and internal services. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which often rely on Red Hat Enterprise Linux and complex proxy architectures, are particularly at risk. The attack does not require authentication, increasing the threat surface. Additionally, the inconsistency in Host header processing can disrupt security policies based on virtual hosting, leading to unauthorized access or privilege escalation. The lack of known exploits in the wild suggests a window for proactive mitigation, but the high CVSS score indicates that exploitation could have serious consequences.

To mitigate CVE-2025-14523, organizations should prioritize applying official patches from Red Hat as soon as they become available. In the interim, administrators should audit and harden proxy and backend configurations to ensure consistent interpretation of HTTP Host headers. This includes configuring proxies to reject requests with multiple Host headers or to normalize headers before forwarding. Implementing strict input validation and sanitization at the proxy level can prevent malformed requests from reaching backend servers. Additionally, deploying Web Application Firewalls (WAFs) with rules to detect and block HTTP request smuggling attempts can provide an additional layer of defense. Monitoring HTTP traffic for anomalies related to multiple Host headers or unusual request patterns is recommended. Network segmentation and limiting exposure of vulnerable services to untrusted networks can reduce risk. Finally, organizations should review host-based access control policies to ensure they do not rely solely on Host headers for security decisions, as this can be bypassed by this vulnerability.