CURL-CVE-2025-5025

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-5025.html

Import Source

https://curl.se/docs/CURL-CVE-2025-5025.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2025-5025

Aliases

CVE-2025-5025

Published

2025-05-28T08:00:00Z

Modified

2025-05-28T08:10:29Z

Summary

No QUIC certificate pinning with wolfSSL

Details

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL.

Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3.

Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Database specific

{
    "www": "https://curl.se/docs/CVE-2025-5025.html",
    "package": "curl",
    "CWE": {
        "id": "CWE-295",
        "desc": "Improper Certificate Validation"
    },
    "affects": "both",
    "last_affected": "8.13.0",
    "issue": "https://hackerone.com/reports/3153497",
    "award": {
        "amount": "2540",
        "currency": "USD"
    },
    "severity": "Medium",
    "URL": "https://curl.se/docs/CVE-2025-5025.json"
}

References

Credits

- Hiroki Kurosawa - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.5.0

Fixed

8.14.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

5f78cf503c786a1d48d13528dde038bccfa6c67c

Fixed

e1f65937a96a451292e9231339672797da86ecc5

Affected versions

8.*

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Database specific

{
    "vanir_signatures": [
        {
            "id": "CURL-CVE-2025-5025-219c4e0f",
            "digest": {
                "line_hashes": [
                    "328535129410183437562957898973881791781",
                    "180781890156043256218487831298191102995",
                    "285974129629105676882781803210090083756",
                    "254717071962375362783950884203908060508",
                    "286179645271025820010706787947250101991",
                    "227757139270925710304655007857435960963",
                    "18352228180198020919291693099374205450",
                    "28380090232625837061501378457299474009",
                    "261106116514411988873034566766241964142",
                    "120909023730509951889998663196030158874",
                    "1535221693443447621189047525432523033",
                    "67420959791795684234644295001091237450",
                    "180276100295828073298606632009816381168",
                    "221585592054420396123102823970016034346",
                    "286383682614528935190138450464725223179"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "file": "lib/vtls/wolfssl.c"
            },
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CURL-CVE-2025-5025-3a886e20",
            "digest": {
                "line_hashes": [
                    "148486550461138867129576406502765894046",
                    "222421913779729837568396885667412139041",
                    "4279076295803158960781588172455060495",
                    "106119213793413372079166082457208727378"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "file": "lib/vquic/vquic-tls.c"
            },
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CURL-CVE-2025-5025-3b6161d2",
            "digest": {
                "length": 2442.0,
                "function_hash": "312124394985011906056469256849086812336"
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "function": "wssl_connect",
                "file": "lib/vtls/wolfssl.c"
            },
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "id": "CURL-CVE-2025-5025-507e710e",
            "digest": {
                "line_hashes": [
                    "90476515338326768540026202697810299850",
                    "166699687223556424152768074499385923274",
                    "193297938239563647670720674045909070170",
                    "169969422080023593123148779863375297420",
                    "7586545564511708955992547475526418314",
                    "153512904584612614227244782181266503899",
                    "47410469342078373265238197047156043202",
                    "206926185032174781312143066095604816535",
                    "318001946720154455099339586774752108406"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "file": "lib/vtls/wolfssl.h"
            },
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "id": "CURL-CVE-2025-5025-f69c1b13",
            "digest": {
                "length": 1613.0,
                "function_hash": "7265168506872776594781231797554041452"
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "function": "wssl_verify_pinned",
                "file": "lib/vtls/wolfssl.c"
            },
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "id": "CURL-CVE-2025-5025-fb1f53fd",
            "digest": {
                "length": 996.0,
                "function_hash": "21272719110480439985384758464724101584"
            },
            "source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
            "signature_version": "v1",
            "target": {
                "function": "Curl_vquic_tls_verify_peer",
                "file": "lib/vquic/vquic-tls.c"
            },
            "deprecated": false,
            "signature_type": "Function"
        }
    ]
}