CURL-CVE-2025-13034

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-13034.html

Import Source

https://curl.se/docs/CURL-CVE-2025-13034.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2025-13034

Aliases

CVE-2025-13034

Published

2026-01-07T08:00:00Z

Modified

2026-01-09T05:52:56.567311Z

Summary

No QUIC certificate pinning with GnuTLS

Details

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Database specific

{
    "award": {
        "currency": "USD",
        "amount": "2540"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2025-13034.json",
    "severity": "Medium",
    "affects": "both",
    "www": "https://curl.se/docs/CVE-2025-13034.html",
    "last_affected": "8.17.0",
    "CWE": {
        "id": "CWE-295",
        "desc": "Improper Certificate Validation"
    }
}

References

Credits

- Stanislav Fort (Aisle Research) - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.8.0

Fixed

8.18.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

3210101088dfa3d6a125d213226b092f2f866722

Fixed

3d91ca8cdb3b434226e743946d428b4dd3acf2c9

Affected versions

8.*

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.8.0

8.9.0

8.9.1

Database specific

source

"https://curl.se/docs/CURL-CVE-2025-13034.json"

vanir_signatures

[
    {
        "target": {
            "file": "lib/vquic/vquic-tls.c"
        },
        "id": "CURL-CVE-2025-13034-9519d576",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "179428586170313273926297589203595614773",
                "50410129086084055542981604961884526649",
                "229285328376556365516419558986911544574",
                "290211129843678487728733807699954415981",
                "85966206325908396785535920920966795191",
                "256107137115537267719741446232912209871",
                "274571685078768113572757999914112884789",
                "152929441713491423709269128526208759794",
                "14007745848759525254627443170726810812",
                "243907996199602420186187158036089872846"
            ],
            "threshold": 0.9
        }
    },
    {
        "target": {
            "function": "Curl_vquic_tls_verify_peer",
            "file": "lib/vquic/vquic-tls.c"
        },
        "id": "CURL-CVE-2025-13034-c5db70af",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9",
        "signature_version": "v1",
        "digest": {
            "function_hash": "133740698772490697791508953444701241693",
            "length": 1242.0
        }
    }
]