CURL-CVE-2025-5025
- Source
- https://curl.se/docs/CVE-2025-5025.html
- Import Source
- https://curl.se/docs/CURL-CVE-2025-5025.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2025-5025
- Aliases
- Published
- 2025-05-28T08:00:00Z
- Modified
- 2025-05-28T08:10:29Z
- Summary
- No QUIC certificate pinning with wolfSSL
- Details
-
libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL.
Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3.
Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
- Database specific
{ "www": "https://curl.se/docs/CVE-2025-5025.html", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "issue": "https://hackerone.com/reports/3153497", "severity": "Medium", "package": "curl", "URL": "https://curl.se/docs/CVE-2025-5025.json", "award": { "amount": "2540", "currency": "USD" }, "affects": "both", "last_affected": "8.13.0" }- References
-
- Credits
-
-
- Hiroki Kurosawa - FINDER
-
- Stefan Eissing - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced8.5.0Fixed8.14.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
8.*
8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Database specific
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"328535129410183437562957898973881791781",
"180781890156043256218487831298191102995",
"285974129629105676882781803210090083756",
"254717071962375362783950884203908060508",
"286179645271025820010706787947250101991",
"227757139270925710304655007857435960963",
"18352228180198020919291693099374205450",
"28380090232625837061501378457299474009",
"261106116514411988873034566766241964142",
"120909023730509951889998663196030158874",
"1535221693443447621189047525432523033",
"67420959791795684234644295001091237450",
"180276100295828073298606632009816381168",
"221585592054420396123102823970016034346",
"286383682614528935190138450464725223179"
]
},
"id": "CURL-CVE-2025-5025-219c4e0f",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vtls/wolfssl.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"148486550461138867129576406502765894046",
"222421913779729837568396885667412139041",
"4279076295803158960781588172455060495",
"106119213793413372079166082457208727378"
]
},
"id": "CURL-CVE-2025-5025-3a886e20",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vquic/vquic-tls.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "312124394985011906056469256849086812336",
"length": 2442.0
},
"id": "CURL-CVE-2025-5025-3b6161d2",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vtls/wolfssl.c",
"function": "wssl_connect"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"90476515338326768540026202697810299850",
"166699687223556424152768074499385923274",
"193297938239563647670720674045909070170",
"169969422080023593123148779863375297420",
"7586545564511708955992547475526418314",
"153512904584612614227244782181266503899",
"47410469342078373265238197047156043202",
"206926185032174781312143066095604816535",
"318001946720154455099339586774752108406"
]
},
"id": "CURL-CVE-2025-5025-507e710e",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vtls/wolfssl.h"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "7265168506872776594781231797554041452",
"length": 1613.0
},
"id": "CURL-CVE-2025-5025-f69c1b13",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vtls/wolfssl.c",
"function": "wssl_verify_pinned"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "21272719110480439985384758464724101584",
"length": 996.0
},
"id": "CURL-CVE-2025-5025-fb1f53fd",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5",
"target": {
"file": "lib/vquic/vquic-tls.c",
"function": "Curl_vquic_tls_verify_peer"
}
}
]