CURL-CVE-2025-10148

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2025-10148.html
Import Source
https://curl.se/docs/CURL-CVE-2025-10148.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2025-10148
Aliases
Published
2025-09-10T08:00:00Z
Modified
2025-09-10T14:23:09Z
Summary
predictable WebSocket mask
Details

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Database specific 
{
    "award": {
        "currency": "USD",
        "amount": "505"
    },
    "affects": "both",
    "CWE": {
        "desc": "Generation of Predictable Numbers or Identifiers",
        "id": "CWE-340"
    },
    "URL": "https://curl.se/docs/CVE-2025-10148.json",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2025-10148.html",
    "last_affected": "8.15.0",
    "package": "curl",
    "issue": "https://hackerone.com/reports/3330839"
}
References
Credits
    • Calvin Ruocco (Vector Informatik GmbH) - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.11.0
Fixed
8.16.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
d78e129d50b2d190f1c1bde2ad1f62f02f152db0
Fixed
84db7a9eae8468c0445b15aa806fa7fa806fa0f2

Affected versions

8.*

8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.15.0