VulnerableCode Package Details - pkg:deb/debian/curl@8.18.0~rc2-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-kt4b-7ffh-4bch	When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.	CVE-2025-13034
VCID-mkyr-w79c-qqfz	curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers	CVE-2025-14017
VCID-x57x-w8g8-7ybz	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.	CVE-2025-14524

Vulnerability

Summary

Aliases

VCID-kt4b-7ffh-4bch

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

CVE-2025-13034

VCID-mkyr-w79c-qqfz

curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers

CVE-2025-14017

VCID-x57x-w8g8-7ybz

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

CVE-2025-14524

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T22:43:10.373491+00:00	Debian Importer	Fixing	VCID-x57x-w8g8-7ybz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-17T22:43:10.305751+00:00	Debian Importer	Fixing	VCID-mkyr-w79c-qqfz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-17T22:43:10.249392+00:00	Debian Importer	Fixing	VCID-kt4b-7ffh-4bch	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-03T07:21:25.324712+00:00	Debian Importer	Fixing	VCID-x57x-w8g8-7ybz	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:21:25.304185+00:00	Debian Importer	Fixing	VCID-mkyr-w79c-qqfz	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:21:25.283439+00:00	Debian Importer	Fixing	VCID-kt4b-7ffh-4bch	https://security-tracker.debian.org/tracker/data/json	38.1.0