CVE-2025-9901 identifies a vulnerability in the libsoup HTTP client/server library used within Red Hat Enterprise Linux 10. The issue lies in the SoupCache component, which is responsible for caching HTTP responses to improve performance. Normally, the HTTP Vary header instructs caches to differentiate stored responses based on specific request headers such as Accept-Language or Authorization, ensuring that users receive the correct content variant. However, due to this flaw, SoupCache ignores the Vary header when deciding whether a cached response can be reused. Consequently, a cached response intended for one user or context may be served to another, potentially exposing sensitive data such as authentication tokens, personalized content, or confidential information. The vulnerability does not require any privileges or user interaction to exploit but has a higher attack complexity, as the attacker must be able to influence or observe HTTP traffic through the vulnerable caching mechanism. The flaw is unlikely to impact single-user desktop environments but poses a significant risk in proxy servers, multi-tenant systems, or environments where multiple users share the same caching infrastructure. The vulnerability affects Red Hat Enterprise Linux 10, a widely used enterprise-grade Linux distribution, particularly in server and cloud deployments. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The CVSS v3.1 score of 5.9 reflects a medium severity, primarily due to the confidentiality impact and the attack complexity.

For European organizations, the primary impact of CVE-2025-9901 is the potential unauthorized disclosure of sensitive information in environments where Red Hat Enterprise Linux 10 is used as a proxy or shared caching server. This could lead to breaches of personal data, intellectual property, or confidential communications, violating GDPR and other data protection regulations. Enterprises operating multi-user systems, cloud service providers, and ISPs using Red Hat Enterprise Linux 10 in caching roles are at particular risk. The confidentiality breach could damage organizational reputation, lead to regulatory fines, and compromise trust with customers and partners. Since the vulnerability does not affect data integrity or availability, the impact is focused on information leakage. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known. Organizations with strict compliance requirements and those handling sensitive or regulated data must prioritize addressing this vulnerability to avoid potential data leaks.

To mitigate CVE-2025-9901, European organizations should: 1) Apply any available patches or updates from Red Hat promptly once released, as this is the definitive fix. 2) Until patches are available, consider disabling or limiting the use of libsoup-based caching mechanisms in proxy or multi-user environments. 3) Implement strict access controls and network segmentation to restrict who can access vulnerable caching services. 4) Monitor HTTP traffic for anomalous cache hits or unexpected content served to users, which may indicate exploitation attempts. 5) Use alternative caching solutions that correctly respect the HTTP Vary header if feasible. 6) Conduct security audits and penetration testing focused on caching behavior to detect potential information leakage. 7) Educate system administrators about the risks of shared caching and the importance of proper cache configuration. 8) Review and enhance logging to capture relevant events that could help identify exploitation. These steps go beyond generic advice by focusing on the specific caching mechanism and operational context of the vulnerability.