CVE-2025-46421 identifies a security flaw in the libsoup HTTP client library, which is commonly used in GNOME and other Linux-based applications, including Red Hat Enterprise Linux 10. The vulnerability arises when libsoup clients encounter HTTP redirects (3xx status codes). Instead of removing or restricting the Authorization header when following a redirect to a different host, libsoup erroneously forwards the Authorization header to the new host. This behavior exposes sensitive authentication credentials to potentially malicious third-party servers. An attacker controlling the redirect destination can capture these credentials and use them to impersonate the user to the original server, compromising confidentiality and integrity. The vulnerability requires user interaction (e.g., clicking a link that triggers a redirect), has a high attack complexity, and does not require prior privileges or authentication. The flaw does not impact system availability. Although no known exploits have been reported in the wild, the risk is significant due to the sensitive nature of leaked credentials. The CVSS v3.1 score is 6.8, reflecting medium severity, with the vector indicating network attack vector, high complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity. This issue primarily affects applications and systems using libsoup for HTTP communications, especially those running Red Hat Enterprise Linux 10. Mitigations include patching libsoup once updates are released, avoiding redirects to untrusted hosts, and implementing application-level controls to strip Authorization headers on redirects.

The primary impact of CVE-2025-46421 is the unauthorized disclosure of sensitive authentication credentials via HTTP Authorization headers sent to unintended hosts during redirects. This can lead to user impersonation attacks, allowing attackers to access protected resources on the original server with the victim's privileges. Organizations relying on libsoup for HTTP communications, particularly in Red Hat Enterprise Linux 10 environments, face risks of credential theft and subsequent unauthorized access. This can compromise confidential data and integrity of systems. Although availability is not affected, the breach of credentials can facilitate further attacks such as data exfiltration, privilege escalation, or lateral movement within networks. The requirement for user interaction and high attack complexity somewhat limits exploitation, but targeted phishing or social engineering could trigger the vulnerability. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it. Overall, the vulnerability poses a moderate threat to organizations with affected systems, especially those handling sensitive or critical data.

1. Apply official patches or updates to libsoup and Red Hat Enterprise Linux 10 as soon as they become available to correct the improper forwarding of Authorization headers. 2. Configure applications and HTTP clients to avoid following redirects to untrusted or external hosts, especially when Authorization headers are involved. 3. Implement application-layer logic to explicitly remove or sanitize Authorization headers before following redirects to different domains. 4. Educate users to be cautious with links that cause HTTP redirects, particularly from untrusted sources, to reduce the risk of social engineering exploitation. 5. Monitor network traffic for unusual Authorization header transmissions to unexpected hosts as an indicator of potential exploitation attempts. 6. Employ network segmentation and strict egress filtering to limit exposure of sensitive credentials to external or untrusted networks. 7. Review and restrict usage of HTTP redirects in internal applications where possible to minimize attack surface. 8. Conduct security assessments and penetration testing focused on redirect handling and credential leakage in affected environments.