WebKit GTK WebPage::send-request Signal Bypass Leading to Connection Leakage (CVE-2025-66286)

WebKit Bugzilla Vulnerability Summary Vulnerability Overview CVE ID: CVE-2025-66286 Title: [WPE][GTK] Certain connections to remote sites cannot be intercepted using WebPage::send-request signal Status: NEW Priority: P2 Severity: Major Operating System: Linux Product: Security Component: Security Reported Date: 2025-08-03 11:40 PDT Modified Date: 2026-04-07 21:24 PDT Impact Scope Affected Systems: Debian Bookworm/x86_64, WebKit GTK package: libwebkit2gtk-4.1 v. 2.40.3-2~deb12u2 Vulnerability Description: Even when attempting to block access to remote sites, WebKit’s WebPage::send-request signal handler still intercepts the connection, opens a socket connection, and performs a TLS handshake. If this access is triggered by malicious HTML content, such information may be leaked, and therefore it should be considered a security vulnerability. Fix Plan Steps: 1. Unpack the sample code package "sample.tar.gz" (Note: Based on Debian Bookworm, should work similarly on other Linux systems). 2. Start "tcptrap" or similar tool on ports 80/tcp and 443/tcp. 3. Run the application in "sample" to display the included HTML file. 4. Click the link. Expected Result: No connection to remote sites should be opened, especially if the WebPage::send-request signal handler redirects the request to a different location, no TLS handshake should occur. Hypothesis: The connection is established before WebPage::send-request is emitted, leading to this behavior. POC Code Additional Information Related Issues: - Evolution Issue #2727 - WebKitGTK+ Issue #15518216 - WebKitGTK+ Issue #2099 - WebKitGTK+ Issue #1680 Related CVE: CVE-2025-66286 Related Bugs: Bug-289716, Bug-289716, Bug-289716 Related Users: 39 users Related Keywords: InRadar Related Dependencies: 285007 Related Alias: CVE-2025-66286

Goal Reached Thanks to every supporter — we hit 100%!

WebKit GTK WebPage::send-request Signal Bypass Leading to Connection Leakage (CVE-2025-66286)