CVE-2025-4947

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-4947
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4947.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-4947
Aliases
Published
2025-05-28T07:15:24Z
Modified
2025-05-30T21:02:26.424550Z
Downstream
Summary
[none]
Details

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

References

Affected packages

Alpine:v3.22 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.14.0-r0

Affected versions

7.*

7.19.2-r0
7.19.2-r1
7.19.4-r0
7.19.5-r0
7.19.6-r0
7.19.7-r0
7.19.7-r1
7.20.1-r0
7.20.1-r1
7.21.0-r0
7.21.1-r0
7.21.2-r0
7.21.3-r0
7.21.3-r1
7.21.4-r0
7.21.4-r1
7.21.5-r0
7.21.5-r1
7.21.6-r0
7.21.7-r0
7.21.7-r1
7.21.7-r2
7.22.0-r0
7.23.1-r0
7.24.0-r0
7.25.0-r0
7.26.0-r0
7.27.0-r0
7.27.0-r1
7.28.0-r0
7.28.1-r0
7.29.0-r0
7.30.0-r0
7.31.0-r0
7.32.0-r0
7.33.0-r0
7.33.0-r1
7.34.0-r0
7.34.0-r1
7.35.0-r0
7.36.0-r0
7.37.0-r0
7.37.1-r0
7.38.0-r0
7.39.0-r0
7.40.0-r0
7.41.0-r0
7.42.0-r0
7.42.1-r0
7.42.1-r1
7.43.0-r0
7.44.0-r0
7.45.0-r0
7.45.0-r1
7.46.0-r0
7.46.0-r1
7.46.0-r2
7.47.0-r0
7.47.1-r0
7.48.0-r0
7.49.0-r0
7.49.1-r0
7.50.0-r0
7.50.1-r0
7.50.2-r0
7.50.3-r0
7.50.3-r1
7.51.0-r0
7.51.0-r1
7.52.0-r0
7.52.1-r0
7.52.1-r1
7.53.0-r0
7.53.1-r0
7.53.1-r1
7.53.1-r2
7.53.1-r3
7.54.0-r0
7.54.1-r0
7.55.0-r0
7.55.1-r0
7.56.0-r0
7.56.1-r0
7.56.1-r1
7.57.0-r0
7.58.0-r0
7.58.0-r1
7.58.0-r2
7.59.0-r0
7.59.0-r1
7.60.0-r0
7.60.0-r1
7.61.0-r0
7.61.1-r0
7.62.0-r0
7.62.0-r1
7.62.0-r2
7.63.0-r0
7.64.0-r0
7.64.0-r1
7.64.1-r0
7.64.1-r1
7.64.1-r2
7.64.1-r3
7.65.0-r0
7.65.1-r0
7.65.3-r0
7.66.0-r0
7.67.0-r0
7.68.0-r0
7.69.0-r0
7.69.0-r1
7.69.1-r0
7.70.0-r0
7.70.0-r1
7.70.0-r2
7.71.0-r0
7.71.0-r1
7.71.1-r0
7.72.0-r0
7.73.0-r0
7.74.0-r0
7.75.0-r0
7.76.0-r0
7.76.1-r0
7.77.0-r0
7.77.0-r1
7.78.0-r0
7.78.0-r1
7.78.0-r2
7.79.0-r0
7.79.1-r0
7.80.0-r0
7.81.0-r0
7.81.0-r1
7.82.0-r0
7.82.0-r1
7.83.0-r0
7.83.1-r0
7.83.1-r1
7.84.0-r0
7.84.0-r1
7.84.0-r2
7.85.0-r0
7.86.0-r0
7.86.0-r1
7.87.0-r0
7.87.0-r1
7.87.0-r2
7.87.0-r3
7.88.0-r0
7.88.0-r1
7.88.1-r0
7.88.1-r1

8.*

8.0.0-r0
8.0.1-r0
8.0.1-r1
8.0.1-r2
8.0.1-r3
8.1.0-r0
8.1.0-r1
8.1.0-r2
8.1.0-r3
8.1.1-r0
8.1.1-r1
8.1.2-r0
8.1.2-r1
8.1.2-r2
8.2.0-r0
8.2.0-r1
8.2.1-r0
8.3.0-r0
8.3.0-r1
8.4.0-r0
8.5.0-r0
8.5.0-r1
8.6.0-r0
8.6.0-r1
8.7.1-r0
8.8.0-r0
8.8.0-r1
8.9.0-r0
8.9.1-r0
8.9.1-r1
8.9.1-r2
8.10.0-r0
8.10.0-r1
8.10.1-r0
8.11.0-r0
8.11.0-r1
8.11.0-r2
8.11.1-r0
8.11.1-r1
8.12.0-r0
8.12.1-r0
8.12.1-r1
8.13.0-r0
8.13.0-r1

Debian:13 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.88.1-10
7.88.1-11

8.*

8.0.1-1~exp1
8.2.1-1
8.2.1-2~bpo12+1
8.2.1-2
8.3.0-1
8.3.0-2~bpo12+1
8.3.0-2~exp1
8.3.0-2
8.3.0-3
8.4.0-1
8.4.0-2~bpo12+1
8.4.0-2
8.5.0-1
8.5.0-1+exp1
8.5.0-2~bpo12+1
8.5.0-2
8.5.0-2+exp1
8.6.0-1
8.6.0-1.1
8.6.0-2
8.6.0-3
8.6.0-3.1~exp1
8.6.0-3.1~exp2
8.6.0-3.1
8.6.0-3.2
8.6.0-4
8.7.1-1
8.7.1-1+exp1
8.7.1-2
8.7.1-3
8.7.1-4
8.7.1-5~bpo12+1
8.7.1-5
8.7.1-5+exp1
8.8.0-1~bpo12+1
8.8.0-1
8.8.0-1+exp1
8.8.0-1+exp2
8.8.0-2
8.8.0-3
8.8.0-4
8.9.0-1
8.9.0-2
8.9.0-3
8.9.1-1
8.9.1-2~bpo12+1
8.9.1-2
8.10.0-1
8.10.0-2
8.10.1-1~bpo12+1
8.10.1-1
8.10.1-2
8.11.0-1
8.11.1-1~bpo12+1
8.11.1-1
8.12.0+git20250209.89ed161+ds-1~bpo12+1
8.12.0+git20250209.89ed161+ds-1
8.12.1-1
8.12.1-2~bpo12+1
8.12.1-2
8.12.1-3~bpo12+1
8.12.1-3
8.13.0~rc-1~exp1
8.13.0~rc-1~exp2
8.13.0~rc2-1
8.13.0~rc2-2
8.13.0~rc3-1
8.13.0~rc3-1+exp1
8.13.0-1
8.13.0-1+exp1
8.13.0-2
8.13.0-2+exp1
8.13.0-3
8.13.0-4
8.13.0-4+exp1
8.13.0-5~bpo12+1
8.13.0-5
8.13.0-5+exp1
8.14.0~rc1-1+exp1
8.14.0~rc2-1+exp1
8.14.0~rc3-1+exp1
8.14.0-1+exp1

Ecosystem specific 

{
    "urgency": "unimportant"
}