CVE-2025-14523

high

Description

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2026:1572

https://access.redhat.com/errata/RHSA-2026:1571

https://access.redhat.com/errata/RHSA-2026:1570

https://access.redhat.com/errata/RHSA-2026:1569

https://access.redhat.com/errata/RHSA-2026:1509

https://access.redhat.com/errata/RHSA-2026:0925

https://access.redhat.com/errata/RHSA-2026:0911

https://access.redhat.com/errata/RHSA-2026:0909

https://access.redhat.com/errata/RHSA-2026:0908

https://access.redhat.com/errata/RHSA-2026:0907

https://access.redhat.com/errata/RHSA-2026:0906

https://access.redhat.com/errata/RHSA-2026:0905

https://access.redhat.com/errata/RHSA-2026:0868

https://access.redhat.com/errata/RHSA-2026:0867

https://access.redhat.com/errata/RHSA-2026:0836

https://access.redhat.com/errata/RHSA-2026:0423

https://access.redhat.com/errata/RHSA-2026:0422

https://access.redhat.com/errata/RHSA-2026:0421

https://bugzilla.redhat.com/show_bug.cgi?id=2421349

https://access.redhat.com/security/cve/CVE-2025-14523

Details

Source: Mitre, NVD

Published: 2025-12-11

Updated: 2026-01-29

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Severity: High

CVSS v4

Base Score: 8.3

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00028