CVE-2024-52531
CVE-2024-52531 is a medium-severity vulnerability in Gnome Libsoup with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-787.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (48th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-45941
- Weakness: CWE-787
- Affected product: Gnome Libsoup
- Published:
- Last modified:
Description
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response).
Frequently asked questions
- What is CVE-2024-52531?
- GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response).
- How severe is CVE-2024-52531?
- CVE-2024-52531 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2024-52531 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (48th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-52531?
- CVE-2024-52531 affects Gnome Libsoup. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-52531?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-52531 have an EU (EUVD) identifier?
- Yes. CVE-2024-52531 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45941.
- When was CVE-2024-52531 published?
- CVE-2024-52531 was published on 2024-11-11 and last updated on 2026-06-17.
References
- https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
- https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407#note_2316401
- https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home
- https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00014.html
Affected products (1)
- cpe:2.3:a:gnome:libsoup:*:*:*:*:*:*:*:*
More vulnerabilities in Gnome Libsoup
- CVE-2019-17266 — Critical (CVSS 9.8): libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in…
- CVE-2018-12910 — Critical (CVSS 9.8): The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an…
- CVE-2017-2885 — Critical (CVSS 9.8): An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP…
- CVE-2024-52532 — High (CVSS 7.5): GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of…
- CVE-2024-52530 — High (CVSS 7.5): GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of…
- CVE-2025-2784 — High (CVSS 7.0): A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the…
All CVEs affecting Gnome Libsoup →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…