VulnerableCode Package Details - pkg:generic/curl.se/curl@8.11.1

Search for packages

Package details: pkg:generic/curl.se/curl@8.11.1

Essentials
History (7)

purl	pkg:generic/curl.se/curl@8.11.1

Next non-vulnerable version	8.14.1
Latest non-vulnerable version	8.14.1
Risk	3.9

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-83qm-twsu-k3hm Aliases: CVE-2025-4947	libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.	8.14.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-8kh8-j9n2-a3e7 Aliases: CVE-2025-0665	libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.	8.12.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-97mb-c19v-bqcx Aliases: CVE-2025-0725	libcurl: Buffer Overflow in libcurl via zlib Integer Overflow	8.12.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-t6fs-2jn9-bfbg Aliases: CVE-2025-0167	When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.	8.12.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yfzf-g3sh-ubf5 Aliases: CVE-2025-5025	libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.	8.14.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-gw9j-gggs-t7at	When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.	CVE-2024-11053

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-05-28T20:09:44.950740+00:00	Curl Importer	Affected by	VCID-83qm-twsu-k3hm	https://curl.se/docs/CVE-2025-4947.json	36.0.0
2025-05-28T20:09:44.904694+00:00	Curl Importer	Affected by	VCID-yfzf-g3sh-ubf5	https://curl.se/docs/CVE-2025-5025.json	36.0.0
2025-03-28T13:43:16.666530+00:00	Curl Importer	Affected by	VCID-t6fs-2jn9-bfbg	https://curl.se/docs/CVE-2025-0167.json	36.0.0
2025-03-28T13:43:16.432976+00:00	Curl Importer	Affected by	VCID-8kh8-j9n2-a3e7	https://curl.se/docs/CVE-2025-0665.json	36.0.0
2025-03-28T13:43:16.381713+00:00	Curl Importer	Affected by	VCID-97mb-c19v-bqcx	https://curl.se/docs/CVE-2025-0725.json	36.0.0
2025-01-16T20:10:06.503383+00:00	Curl Importer	Fixing	VCID-gw9j-gggs-t7at	https://curl.se/docs/CVE-2024-11053.json	35.1.0
2024-12-11T08:35:48.061890+00:00	Curl Importer	Fixing	VCID-gw9j-gggs-t7at	https://curl.se/docs/CVE-2024-11053.json	35.0.0