CVE-2025-46421 is a vulnerability discovered in libsoup, a GNOME HTTP client/server library widely used in Linux environments, including Red Hat Enterprise Linux 10. The flaw arises when libsoup clients encounter HTTP redirects (3xx responses). Instead of removing or restricting sensitive headers, libsoup mistakenly forwards the HTTP Authorization header to the new host specified in the redirect. This behavior violates the principle of least privilege and exposes sensitive authentication credentials to potentially untrusted or malicious hosts. The consequence is that the redirected host can impersonate the user to the original host, leveraging the leaked credentials to gain unauthorized access or perform actions on behalf of the user. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS 3.1 base score is 6.8 (medium), with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network attack vector, high attack complexity, no privileges required, user interaction needed, unchanged scope, and high impact on confidentiality and integrity. No known exploits have been reported in the wild yet. The vulnerability is particularly relevant for applications and services that rely on libsoup for HTTP communications and handle sensitive authentication tokens or credentials. The flaw can be exploited by tricking a user or client into following a malicious redirect, which then captures the Authorization header. This vulnerability underscores the importance of careful handling of HTTP headers during redirects and the risks of automatic forwarding of sensitive information.

For European organizations, the impact of CVE-2025-46421 can be significant, especially for those using Red Hat Enterprise Linux 10 in environments where libsoup is employed for HTTP communications involving sensitive credentials. The unauthorized exposure of the Authorization header can lead to credential theft, unauthorized access to internal systems, and potential lateral movement within networks. This is particularly critical for sectors such as finance, healthcare, government, and critical infrastructure, where sensitive data and regulatory compliance are paramount. The flaw could facilitate targeted phishing or man-in-the-middle attacks that exploit redirects to capture credentials. Although the attack requires user interaction and has high attack complexity, the potential for impersonation and data breach elevates the risk. Organizations relying on automated HTTP clients or services that follow redirects without validation are especially vulnerable. The absence of known exploits in the wild provides a window for proactive mitigation, but the medium severity rating demands timely attention to prevent exploitation.

1. Apply patches or updates from Red Hat or the libsoup project as soon as they become available to address this vulnerability. 2. Audit and modify application code that uses libsoup to handle HTTP redirects carefully, ensuring Authorization headers are not forwarded to untrusted or external hosts. 3. Implement strict validation of redirect URLs to allow only trusted domains or hosts, preventing redirection to malicious endpoints. 4. Use network-level controls such as web proxies or firewalls to monitor and restrict HTTP redirects and outgoing Authorization headers. 5. Educate users and administrators about the risks of following unexpected HTTP redirects, especially in sensitive environments. 6. Consider disabling automatic redirect following in libsoup-based clients where feasible, or configure them to strip sensitive headers on redirects. 7. Monitor logs and network traffic for unusual redirect patterns or unexpected Authorization header transmissions. 8. Incorporate this vulnerability into incident response plans to quickly detect and respond to potential exploitation attempts.