VulnerableCode Package Details - pkg:generic/curl.se/curl@8.12.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-83qm-twsu-k3hm Aliases: CVE-2025-4947	libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.	8.14.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-yfzf-g3sh-ubf5 Aliases: CVE-2025-5025	libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.	8.14.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-83qm-twsu-k3hm
Aliases:
CVE-2025-4947

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

8.14.0
Affected by 1 other vulnerability.

VCID-yfzf-g3sh-ubf5
Aliases:
CVE-2025-5025

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

8.14.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-8kh8-j9n2-a3e7	libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.	CVE-2025-0665
VCID-97mb-c19v-bqcx	libcurl: Buffer Overflow in libcurl via zlib Integer Overflow	CVE-2025-0725
VCID-t6fs-2jn9-bfbg	When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.	CVE-2025-0167

Vulnerability

Summary

Aliases

VCID-8kh8-j9n2-a3e7

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0665

VCID-97mb-c19v-bqcx

libcurl: Buffer Overflow in libcurl via zlib Integer Overflow

CVE-2025-0725

VCID-t6fs-2jn9-bfbg

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

CVE-2025-0167

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-05-28T20:09:44.952844+00:00	Curl Importer	Affected by	VCID-83qm-twsu-k3hm	https://curl.se/docs/CVE-2025-4947.json	36.0.0
2025-05-28T20:09:44.906775+00:00	Curl Importer	Affected by	VCID-yfzf-g3sh-ubf5	https://curl.se/docs/CVE-2025-5025.json	36.0.0
2025-03-28T13:43:16.671856+00:00	Curl Importer	Fixing	VCID-t6fs-2jn9-bfbg	https://curl.se/docs/CVE-2025-0167.json	36.0.0
2025-03-28T13:43:16.438525+00:00	Curl Importer	Fixing	VCID-8kh8-j9n2-a3e7	https://curl.se/docs/CVE-2025-0665.json	36.0.0
2025-03-28T13:43:16.389783+00:00	Curl Importer	Fixing	VCID-97mb-c19v-bqcx	https://curl.se/docs/CVE-2025-0725.json	36.0.0