CVE-2025-9901 identifies a vulnerability in the libsoup HTTP client library's caching mechanism, SoupCache, used within Red Hat Enterprise Linux 10. The core issue is that SoupCache fails to respect the HTTP Vary header when determining whether a cached response is appropriate for a given request. The Vary header instructs caches to store multiple versions of a response based on specified request headers, such as Accept-Language or Authorization, ensuring that users receive content tailored to their request context. Ignoring this header means that cached responses intended for one user or request context may be served to others, potentially leaking sensitive information like authentication tokens, personalized data, or localized content. This flaw is particularly dangerous in proxy servers or multi-user environments where multiple clients share the same caching infrastructure. The vulnerability has a CVSS 3.1 base score of 5.9, reflecting medium severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. Although no exploits are currently known in the wild, the risk of sensitive data exposure necessitates attention. The vulnerability does not affect data integrity or system availability but compromises confidentiality by enabling unauthorized data disclosure through cache poisoning or cache misuse.

The primary impact of CVE-2025-9901 is the potential unauthorized disclosure of sensitive information due to improper caching behavior. Organizations running Red Hat Enterprise Linux 10 in proxy or multi-user roles risk exposing confidential user data, including authentication credentials, personalized content, or other sensitive HTTP response data. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), and reputational damage. Although the vulnerability does not allow code execution or system compromise, the confidentiality breach can facilitate further attacks such as session hijacking or privilege escalation if sensitive tokens are leaked. The medium severity score reflects that exploitation requires network access and has high complexity, limiting widespread exploitation but still posing a significant risk in targeted environments. The flaw is less likely to impact single-user desktop systems but is critical in shared infrastructure scenarios common in enterprise and cloud deployments.

To mitigate CVE-2025-9901, organizations should: 1) Monitor Red Hat and libsoup project advisories closely and apply patches or updates as soon as they become available to fix the caching mechanism. 2) In the interim, configure proxy and caching servers to disable or limit caching of responses that include sensitive headers or authentication tokens, especially where the Vary header is present. 3) Implement strict cache-control headers such as 'Cache-Control: private' or 'no-store' on sensitive responses to prevent caching. 4) Audit and restrict access to shared caching infrastructure to minimize exposure. 5) Review and test caching behavior in multi-user environments to ensure that cached responses are correctly segregated by user or request context. 6) Consider deploying web application firewalls or reverse proxies that can enforce caching policies and detect anomalous cache usage. 7) Educate developers and administrators about the importance of the Vary header and proper cache management to avoid similar issues in custom applications.