libsoup HTTP Range Request Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in libsoup, specifically in its handling of HTTP range requests. This issue allows a malicious client to cause excessive memory usage on the server by requesting the same range multiple times within a single HTTP request. While this vulnerability leads to increased resource consumption, it does not cause a complete denial of service.

Impact

Exploitation of this vulnerability causes excessive memory usage on the server, which can lead to degraded performance or instability.

Reproduction

To reproduce this vulnerability, send an HTTP request that includes the Range header with overlapping range requests. This can be done using tools like curl or Postman, or by writing a custom script that sends the appropriate HTTP requests. The server will respond by processing the overlapping range requests, which can cause increased memory usage and potentially degrade server performance.

Remediation

Users can apply the available update for libsoup. Instructions for applying this update can be found in the Red Hat Product Errata RHSA-2025:4439, RHSA-2025:4440, RHSA-2025:4508, RHSA-2025:7436, and RHSA-2025:8128.