CVE-2025-14523

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-14523
A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2026:0421
https://access.redhat.com/errata/RHSA-2026:0422
https://access.redhat.com/errata/RHSA-2026:0423
https://access.redhat.com/errata/RHSA-2026:0836
https://access.redhat.com/errata/RHSA-2026:0867
https://access.redhat.com/errata/RHSA-2026:0868
https://access.redhat.com/errata/RHSA-2026:0905
https://access.redhat.com/errata/RHSA-2026:0906
https://access.redhat.com/errata/RHSA-2026:0907
https://access.redhat.com/errata/RHSA-2026:0908
https://access.redhat.com/errata/RHSA-2026:0909
https://access.redhat.com/errata/RHSA-2026:0911
https://access.redhat.com/errata/RHSA-2026:0925
https://access.redhat.com/errata/RHSA-2026:1509
https://access.redhat.com/errata/RHSA-2026:1569
https://access.redhat.com/errata/RHSA-2026:1570
https://access.redhat.com/errata/RHSA-2026:1571
https://access.redhat.com/errata/RHSA-2026:1572
https://access.redhat.com/security/cve/CVE-2025-14523
https://bugzilla.redhat.com/show_bug.cgi?id=2421349
Configurations

No configuration.

History

29 Jan 2026, 16:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:1569 -
  • () https://access.redhat.com/errata/RHSA-2026:1572 -

29 Jan 2026, 12:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:1570 -
  • () https://access.redhat.com/errata/RHSA-2026:1571 -

28 Jan 2026, 20:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:1509 -

21 Jan 2026, 16:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0925 -

21 Jan 2026, 10:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0908 -
  • () https://access.redhat.com/errata/RHSA-2026:0909 -
  • () https://access.redhat.com/errata/RHSA-2026:0911 -

21 Jan 2026, 06:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0905 -
  • () https://access.redhat.com/errata/RHSA-2026:0906 -
  • () https://access.redhat.com/errata/RHSA-2026:0907 -

20 Jan 2026, 16:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0867 -
  • () https://access.redhat.com/errata/RHSA-2026:0868 -

20 Jan 2026, 10:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0836 -

12 Jan 2026, 03:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:0421 -
  • () https://access.redhat.com/errata/RHSA-2026:0422 -
  • () https://access.redhat.com/errata/RHSA-2026:0423 -

11 Dec 2025, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-12-11 13:15

Updated : 2026-01-29 16:16

NVD link : CVE-2025-14523

Mitre link : CVE-2025-14523

CVE.ORG link : CVE-2025-14523

JSON object : View

Products Affected

No product.

CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')