CURL-CVE-2025-5025

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2025-5025.html
Import Source
https://curl.se/docs/CURL-CVE-2025-5025.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2025-5025
Aliases
Published
2025-05-28T08:00:00Z
Modified
2025-05-28T08:10:29Z
Summary
No QUIC certificate pinning with wolfSSL
Details

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL.

Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3.

Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Database specific 
{
    "CWE": {
        "desc": "Improper Certificate Validation",
        "id": "CWE-295"
    },
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2025-5025.html",
    "severity": "Medium",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2025-5025.json",
    "award": {
        "currency": "USD",
        "amount": "2540"
    },
    "last_affected": "8.13.0",
    "issue": "https://hackerone.com/reports/3153497"
}
References
Credits
    • Hiroki Kurosawa - FINDER
    • Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.5.0
Fixed
8.14.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
5f78cf503c786a1d48d13528dde038bccfa6c67c
Fixed
e1f65937a96a451292e9231339672797da86ecc5

Affected versions

8.*

8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1