libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
{ "issue": "https://hackerone.com/reports/3150884", "URL": "https://curl.se/docs/CVE-2025-4947.json", "www": "https://curl.se/docs/CVE-2025-4947.html", "package": "curl", "last_affected": "8.13.0", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "currency": "USD", "amount": "2540" }, "affects": "both", "severity": "Medium" }