Search for packages
| purl | pkg:generic/curl.se/curl@8.14.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ch4q-bmr1-pff5
Aliases: CVE-2025-5399 |
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-83qm-twsu-k3hm | libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. |
CVE-2025-4947
|
| VCID-yfzf-g3sh-ubf5 | libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. |
CVE-2025-5025
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-05T14:47:45.628108+00:00 | Curl Importer | Affected by | VCID-ch4q-bmr1-pff5 | https://curl.se/docs/CVE-2025-5399.json | 36.1.0 |
| 2025-05-28T20:09:44.959002+00:00 | Curl Importer | Fixing | VCID-83qm-twsu-k3hm | https://curl.se/docs/CVE-2025-4947.json | 36.0.0 |
| 2025-05-28T20:09:44.915332+00:00 | Curl Importer | Fixing | VCID-yfzf-g3sh-ubf5 | https://curl.se/docs/CVE-2025-5025.json | 36.0.0 |