CURL-CVE-2025-4947

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2025-4947.html
Import Source
https://curl.se/docs/CURL-CVE-2025-4947.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2025-4947
Aliases
Published
2025-05-28T08:00:00Z
Modified
2025-05-28T08:10:29Z
Summary
QUIC certificate check skip with wolfSSL
Details

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Database specific 
{
    "www": "https://curl.se/docs/CVE-2025-4947.html",
    "CWE": {
        "id": "CWE-295",
        "desc": "Improper Certificate Validation"
    },
    "issue": "https://hackerone.com/reports/3150884",
    "severity": "Medium",
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2025-4947.json",
    "last_affected": "8.13.0",
    "affects": "both",
    "award": {
        "amount": "2540",
        "currency": "USD"
    }
}
References
Credits
    • Hiroki Kurosawa - FINDER
    • Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.8.0
Fixed
8.14.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
4c46e277b2a0c0489de0e0fcb91f315c62f0369c
Fixed
a85f1df4803bbd272905c9e712537b41afeafbd3

Affected versions

8.*

8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.8.0
8.9.0
8.9.1

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "80211781897125907216617466032987610984",
                "68890303834346341213727486246797762367",
                "52142079782883376964682183668234246364",
                "68749118774670511271813411320118219036",
                "257651649534267240063617473881008983603",
                "72459915854897445456226013568529407607",
                "246962167824758465144668491832284230541",
                "148486550461138867129576406502765894046",
                "47205215324501448097833419745667265918",
                "97386622391566701874344023816512674624",
                "265537291877676368672848132467158892736"
            ]
        },
        "id": "CURL-CVE-2025-4947-43902428",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/a85f1df4803bbd272905c9e712537b41afeafbd3",
        "target": {
            "file": "lib/vquic/vquic-tls.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 963.0,
            "function_hash": "56537916447733253337736822579741998455"
        },
        "id": "CURL-CVE-2025-4947-74a0efb0",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/a85f1df4803bbd272905c9e712537b41afeafbd3",
        "target": {
            "file": "lib/vquic/vquic-tls.c",
            "function": "Curl_vquic_tls_verify_peer"
        }
    }
]