CVE-2025-5025

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-5025
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5025.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-5025
Aliases
Downstream
Published
2025-05-28T07:15:24Z
Modified
2025-10-10T05:10:52.423176Z
Summary
[none]
Details

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Introduced
7161cb17c01dcff1dc5bf89a18437d9d729f1ecd
Fixed
4dacb79fcdd9364c1083e06f6a011d797a344f47

Affected versions

Other

curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1