CURL-CVE-2025-13034

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-13034.html

Import Source

https://curl.se/docs/CURL-CVE-2025-13034.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2025-13034

Aliases

CVE-2025-13034

Published

2026-01-07T08:00:00Z

Modified

2026-05-27T02:29:00.881279Z

Summary

No QUIC certificate pinning with GnuTLS

Details

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Database specific

{
    "package": "curl",
    "award": {
        "currency": "USD",
        "amount": "2540"
    },
    "affects": "both",
    "last_affected": "8.17.0",
    "severity": "Medium",
    "CWE": {
        "id": "CWE-295",
        "desc": "Improper Certificate Validation"
    },
    "URL": "https://curl.se/docs/CVE-2025-13034.json",
    "www": "https://curl.se/docs/CVE-2025-13034.html"
}

References

Credits

- Stanislav Fort (Aisle Research) - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.8.0

Fixed

8.18.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

3210101088dfa3d6a125d213226b092f2f866722

Fixed

3d91ca8cdb3b434226e743946d428b4dd3acf2c9

Affected versions

8.*

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.8.0

8.9.0

8.9.1

Other

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_8_0

curl-8_9_0

curl-8_9_1

Database specific

source

"https://curl.se/docs/CURL-CVE-2025-13034.json"

vanir_signatures_modified

"2026-05-27T02:29:00Z"

vanir_signatures

[
    {
        "deprecated": false,
        "target": {
            "file": "lib/vquic/vquic-tls.c"
        },
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "179428586170313273926297589203595614773",
                "50410129086084055542981604961884526649",
                "229285328376556365516419558986911544574",
                "290211129843678487728733807699954415981",
                "85966206325908396785535920920966795191",
                "256107137115537267719741446232912209871",
                "274571685078768113572757999914112884789",
                "152929441713491423709269128526208759794",
                "14007745848759525254627443170726810812",
                "243907996199602420186187158036089872846"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9",
        "id": "CURL-CVE-2025-13034-9519d576"
    },
    {
        "deprecated": false,
        "target": {
            "file": "lib/vquic/vquic-tls.c",
            "function": "Curl_vquic_tls_verify_peer"
        },
        "signature_type": "Function",
        "digest": {
            "function_hash": "133740698772490697791508953444701241693",
            "length": 1242.0
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9",
        "id": "CURL-CVE-2025-13034-c5db70af"
    }
]