CVE-2025-9901 is a medium-severity vulnerability affecting the caching mechanism of libsoup, specifically the SoupCache component, in Red Hat Enterprise Linux 10. The flaw arises because the HTTP Vary header is ignored when evaluating cached HTTP responses. The Vary header is critical in HTTP caching as it instructs caches to differentiate stored responses based on specific request headers such as language preferences or authentication tokens. Ignoring this header means that cached responses intended for one user or context could be erroneously served to another user or context. This can lead to unintended exposure of sensitive information, particularly in environments where multiple users share the same proxy or caching infrastructure. The vulnerability does not affect the integrity or availability of the system but poses a confidentiality risk by potentially leaking private data between users. Exploitation does not require authentication or user interaction, but the attack complexity is high since it requires network access and the ability to influence or observe cached HTTP traffic. The vulnerability is unlikely to impact typical desktop users but is a significant concern in multi-user or proxy-based environments, such as enterprise networks or hosting providers using Red Hat Enterprise Linux 10 with libsoup-based caching. No known exploits are reported in the wild as of the publication date, but the issue is recognized and published by Red Hat and the CVE database with a CVSS v3.1 score of 5.9, reflecting a medium severity level focused on confidentiality impact without integrity or availability compromise.

For European organizations, especially those operating proxy servers, web gateways, or multi-tenant environments on Red Hat Enterprise Linux 10, this vulnerability could lead to inadvertent disclosure of sensitive user data such as authentication tokens, session cookies, or personalized content. This breach of confidentiality could violate GDPR requirements on data protection and privacy, potentially resulting in regulatory penalties and reputational damage. Organizations in sectors with high privacy requirements—such as finance, healthcare, and government—are particularly at risk. The vulnerability could also undermine trust in internal or external web services if users receive cached responses meant for others. While the vulnerability does not allow system compromise or denial of service, the exposure of sensitive information could facilitate further attacks or data leaks. The risk is heightened in environments where caching proxies are shared among multiple users or departments without strict cache partitioning or isolation.

To mitigate this vulnerability, European organizations should: 1) Apply any available patches or updates from Red Hat promptly once released, as the vulnerability resides in libsoup’s caching mechanism. 2) Review and configure caching proxies and web gateways to ensure they respect the HTTP Vary header correctly or disable caching for sensitive endpoints where appropriate. 3) Implement strict cache partitioning or user-based cache isolation to prevent cross-user data leakage in multi-tenant environments. 4) Monitor network traffic for anomalous cache hits or unexpected content served to users, which may indicate exploitation attempts. 5) Conduct audits of web applications and proxy configurations to verify that sensitive data is not cached inadvertently. 6) Educate system administrators about the risks of improper cache handling and enforce security best practices in HTTP caching policies. These steps go beyond generic advice by focusing on configuration and operational controls specific to the vulnerability’s nature.