CVE-2025-0725

Name
CVE-2025-0725
Description
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-0725.html
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-0725.json
2499f714-1537-4658-8207-48ae4bb9eae9 https://hackerone.com/reports/2956023
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/02/05/3
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/02/06/2
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/02/06/4
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250306-0009/

Match rules

CPE URI Source package Min version Max version
curl >= 0 <= 8.11.1
curl >= 0 <= 8.11.0
curl >= 0 <= 8.10.1
curl >= 0 <= 8.10.0
curl >= 0 <= 8.9.1
curl >= 0 <= 8.9.0
curl >= 0 <= 8.8.0
curl >= 0 <= 8.7.1
curl >= 0 <= 8.7.0
curl >= 0 <= 8.6.0
curl >= 0 <= 8.5.0
curl >= 0 <= 8.4.0
curl >= 0 <= 8.3.0
curl >= 0 <= 8.2.1
curl >= 0 <= 8.2.0
curl >= 0 <= 8.1.2
curl >= 0 <= 8.1.1
curl >= 0 <= 8.1.0
curl >= 0 <= 8.0.1
curl >= 0 <= 8.0.0
curl >= 0 <= 7.88.1
curl >= 0 <= 7.88.0
curl >= 0 <= 7.87.0
curl >= 0 <= 7.86.0
curl >= 0 <= 7.85.0
curl >= 0 <= 7.84.0
curl >= 0 <= 7.83.1
curl >= 0 <= 7.83.0
curl >= 0 <= 7.82.0
curl >= 0 <= 7.81.0
curl >= 0 <= 7.80.0
curl >= 0 <= 7.79.1
curl >= 0 <= 7.79.0
curl >= 0 <= 7.78.0
curl >= 0 <= 7.77.0
curl >= 0 <= 7.76.1
curl >= 0 <= 7.76.0
curl >= 0 <= 7.75.0
curl >= 0 <= 7.74.0
curl >= 0 <= 7.73.0
curl >= 0 <= 7.72.0
curl >= 0 <= 7.71.1
curl >= 0 <= 7.71.0
curl >= 0 <= 7.70.0
curl >= 0 <= 7.69.1
curl >= 0 <= 7.69.0
curl >= 0 <= 7.68.0
curl >= 0 <= 7.67.0
curl >= 0 <= 7.66.0
curl >= 0 <= 7.65.3
curl >= 0 <= 7.65.2
curl >= 0 <= 7.65.1
curl >= 0 <= 7.65.0
curl >= 0 <= 7.64.1
curl >= 0 <= 7.64.0
curl >= 0 <= 7.63.0
curl >= 0 <= 7.62.0
curl >= 0 <= 7.61.1
curl >= 0 <= 7.61.0
curl >= 0 <= 7.60.0
curl >= 0 <= 7.59.0
curl >= 0 <= 7.58.0
curl >= 0 <= 7.57.0
curl >= 0 <= 7.56.1
curl >= 0 <= 7.56.0
curl >= 0 <= 7.55.1
curl >= 0 <= 7.55.0
curl >= 0 <= 7.54.1
curl >= 0 <= 7.54.0
curl >= 0 <= 7.53.1
curl >= 0 <= 7.53.0
curl >= 0 <= 7.52.1
curl >= 0 <= 7.52.0
curl >= 0 <= 7.51.0
curl >= 0 <= 7.50.3
curl >= 0 <= 7.50.2
curl >= 0 <= 7.50.1
curl >= 0 <= 7.50.0
curl >= 0 <= 7.49.1
curl >= 0 <= 7.49.0
curl >= 0 <= 7.48.0
curl >= 0 <= 7.47.1
curl >= 0 <= 7.47.0
curl >= 0 <= 7.46.0
curl >= 0 <= 7.45.0
curl >= 0 <= 7.44.0
curl >= 0 <= 7.43.0
curl >= 0 <= 7.42.1
curl >= 0 <= 7.42.0
curl >= 0 <= 7.41.0
curl >= 0 <= 7.40.0
curl >= 0 <= 7.39.0
curl >= 0 <= 7.38.0
curl >= 0 <= 7.37.1
curl >= 0 <= 7.37.0
curl >= 0 <= 7.36.0
curl >= 0 <= 7.35.0
curl >= 0 <= 7.34.0
curl >= 0 <= 7.33.0
curl >= 0 <= 7.32.0
curl >= 0 <= 7.31.0
curl >= 0 <= 7.30.0
curl >= 0 <= 7.29.0
curl >= 0 <= 7.28.1
curl >= 0 <= 7.28.0
curl >= 0 <= 7.27.0
curl >= 0 <= 7.26.0
curl >= 0 <= 7.25.0
curl >= 0 <= 7.24.0
curl >= 0 <= 7.23.1
curl >= 0 <= 7.23.0
curl >= 0 <= 7.22.0
curl >= 0 <= 7.21.7
curl >= 0 <= 7.21.6
curl >= 0 <= 7.21.5
curl >= 0 <= 7.21.4
curl >= 0 <= 7.21.3
curl >= 0 <= 7.21.2
curl >= 0 <= 7.21.1
curl >= 0 <= 7.21.0
curl >= 0 <= 7.20.1
curl >= 0 <= 7.20.0
curl >= 0 <= 7.19.7
curl >= 0 <= 7.19.6
curl >= 0 <= 7.19.5
curl >= 0 <= 7.19.4
curl >= 0 <= 7.19.3
curl >= 0 <= 7.19.2
curl >= 0 <= 7.19.1
curl >= 0 <= 7.19.0
curl >= 0 <= 7.18.2
curl >= 0 <= 7.18.1
curl >= 0 <= 7.18.0
curl >= 0 <= 7.17.1
curl >= 0 <= 7.17.0
curl >= 0 <= 7.16.4
curl >= 0 <= 7.16.3
curl >= 0 <= 7.16.2
curl >= 0 <= 7.16.1
curl >= 0 <= 7.16.0
curl >= 0 <= 7.15.5
curl >= 0 <= 7.15.4
curl >= 0 <= 7.15.3
curl >= 0 <= 7.15.2
curl >= 0 <= 7.15.1
curl >= 0 <= 7.15.0
curl >= 0 <= 7.14.1
curl >= 0 <= 7.14.0
curl >= 0 <= 7.13.2
curl >= 0 <= 7.13.1
curl >= 0 <= 7.13.0
curl >= 0 <= 7.12.3
curl >= 0 <= 7.12.2
curl >= 0 <= 7.12.1
curl >= 0 <= 7.12.0
curl >= 0 <= 7.11.2
curl >= 0 <= 7.11.1
curl >= 0 <= 7.11.0
curl >= 0 <= 7.10.8
curl >= 0 <= 7.10.7
curl >= 0 <= 7.10.6
curl >= 0 <= 7.10.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
curl edge-main 8.11.0-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl edge-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl edge-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl edge-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.18-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed