libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
{ "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "www": "https://curl.se/docs/CVE-2025-4947.html", "issue": "https://hackerone.com/reports/3150884", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-4947.json", "award": { "currency": "USD", "amount": "2540" }, "last_affected": "8.13.0", "severity": "Medium", "package": "curl" }