Libsoup Cleartext Transmission of Cookies Vulnerability via HTTP Proxy

A vulnerability in Libsoup allows sensitive session cookies to be transmitted in cleartext through the initial HTTP CONNECT request when establishing HTTPS tunnels via a configured HTTP proxy. This flaw can be exploited by a network-positioned attacker or a malicious HTTP proxy to intercept these cookies, potentially leading to session hijacking or user impersonation. The issue affects Libsoup versions prior to the latest commit in February 2026.

Impact

Exploitation of this vulnerability allows for the interception of cookies, including secure session cookies, which can be used for session hijacking or user impersonation. In the case of Web-based remote management solutions, such intercepted cookies could lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by configuring an HTTP proxy and directing a Libsoup-based application, such as the Epiphany browser, to use that proxy. When the application sends an HTTPS request, the cookies are leaked in cleartext to the proxy. This can be verified by collecting the cookies from the proxy's output.

Remediation

Users can mitigate this vulnerability by ensuring that all HTTP proxies used for HTTPS tunnels are trusted and operate within a secure network. Avoid configuring applications to use untrusted HTTP proxies. If possible, bypass proxies for sensitive connections or use a secure proxy solution that encrypts the entire communication channel.