CVE-2025-5025

Name
CVE-2025-5025
Description
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-5025.html
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-5025.json
2499f714-1537-4658-8207-48ae4bb9eae9 https://hackerone.com/reports/3153497
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/05/28/5

Match rules

CPE URI Source package Min version Max version
curl >= 0 <= 8.13.0
curl >= 0 <= 8.12.1
curl >= 0 <= 8.12.0
curl >= 0 <= 8.11.1
curl >= 0 <= 8.11.0
curl >= 0 <= 8.10.1
curl >= 0 <= 8.10.0
curl >= 0 <= 8.9.1
curl >= 0 <= 8.9.0
curl >= 0 <= 8.8.0
curl >= 0 <= 8.7.1
curl >= 0 <= 8.7.0
curl >= 0 <= 8.6.0
curl >= 0 <= 8.5.0
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* curl >= 8.5.0 < 8.14.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
curl edge-main 8.14.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.13.0-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.13.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.12.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.12.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.11.0-r2 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.11.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.10.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.9.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.7.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.6.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.5.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.4.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.3.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.1.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.0.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.88.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.87.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.86.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.85.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.84.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.83.1-r0 None fixed
curl edge-main 7.83.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.79.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.78.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.77.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 7.76.0-r0 None fixed
curl edge-main 7.74.0-r0 None fixed
curl edge-main 7.72.0-r0 None fixed
curl edge-main 7.71.0-r0 None fixed
curl edge-main 7.66.0-r0 None fixed
curl edge-main 7.65.0-r0 None fixed
curl edge-main 7.64.0-r0 None fixed
curl edge-main 7.62.0-r0 None fixed
curl edge-main 7.61.1-r0 None fixed
curl edge-main 7.61.0-r0 None fixed
curl edge-main 7.60.0-r0 None fixed
curl edge-main 7.59.0-r0 None fixed
curl edge-main 7.57.0-r0 None fixed
curl edge-main 7.56.1-r0 None fixed
curl edge-main 7.55.0-r0 None fixed
curl edge-main 7.54.0-r0 None fixed
curl edge-main 7.53.1-r2 None fixed
curl edge-main 7.53.0-r0 None fixed
curl edge-main 7.52.1-r0 None fixed
curl edge-main 7.51.0-r0 None fixed
curl edge-main 7.50.3-r0 None fixed
curl edge-main 7.50.2-r0 None fixed
curl edge-main 7.50.1-r0 None fixed
curl edge-main 7.36.0-r0 None fixed
curl 3.22-main 8.14.0-r0 None fixed
curl 3.22-main 8.12.0-r0 None fixed
curl 3.22-main 8.11.1-r0 None fixed
curl 3.22-main 8.11.0-r0 None fixed
curl 3.22-main 8.10.0-r0 None fixed
curl 3.22-main 8.9.1-r0 None fixed
curl 3.22-main 8.9.0-r0 None fixed
curl 3.22-main 8.7.1-r0 None fixed
curl 3.22-main 8.6.0-r0 None fixed
curl 3.22-main 8.5.0-r0 None fixed
curl 3.22-main 8.4.0-r0 None fixed
curl 3.22-main 8.3.0-r0 None fixed
curl 3.22-main 8.1.0-r0 None fixed
curl 3.22-main 8.0.0-r0 None fixed
curl 3.22-main 7.88.0-r0 None fixed
curl 3.22-main 7.87.0-r0 None fixed
curl 3.22-main 7.86.0-r0 None fixed
curl 3.22-main 7.85.0-r0 None fixed
curl 3.22-main 7.84.0-r0 None fixed
curl 3.22-main 7.83.1-r0 None fixed
curl 3.22-main 7.83.0-r0 None fixed
curl 3.22-main 7.79.0-r0 None fixed
curl 3.22-main 7.78.0-r0 None fixed
curl 3.22-main 7.77.0-r0 None fixed
curl 3.22-main 7.76.0-r0 None fixed
curl 3.22-main 7.74.0-r0 None fixed
curl 3.22-main 7.72.0-r0 None fixed
curl 3.22-main 7.71.0-r0 None fixed
curl 3.22-main 7.66.0-r0 None fixed
curl 3.22-main 7.65.0-r0 None fixed
curl 3.22-main 7.64.0-r0 None fixed
curl 3.22-main 7.62.0-r0 None fixed
curl 3.22-main 7.61.1-r0 None fixed
curl 3.22-main 7.61.0-r0 None fixed
curl 3.22-main 7.60.0-r0 None fixed
curl 3.22-main 7.59.0-r0 None fixed
curl 3.22-main 7.57.0-r0 None fixed
curl 3.22-main 7.56.1-r0 None fixed
curl 3.22-main 7.55.0-r0 None fixed
curl 3.22-main 7.54.0-r0 None fixed
curl 3.22-main 7.53.1-r2 None fixed
curl 3.22-main 7.53.0-r0 None fixed
curl 3.22-main 7.52.1-r0 None fixed
curl 3.22-main 7.51.0-r0 None fixed
curl 3.22-main 7.50.3-r0 None fixed
curl 3.22-main 7.50.2-r0 None fixed
curl 3.22-main 7.50.1-r0 None fixed
curl 3.22-main 7.36.0-r0 None fixed
curl 3.21-main 8.14.0-r0 None fixed
curl 3.21-main 8.12.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.12.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.11.0-r2 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.21-main 8.11.0-r0 None fixed
curl 3.21-main 8.10.0-r0 None fixed
curl 3.21-main 8.9.1-r0 None fixed
curl 3.21-main 8.9.0-r0 None fixed
curl 3.21-main 8.7.1-r0 None fixed
curl 3.21-main 8.6.0-r0 None fixed
curl 3.21-main 8.5.0-r0 None fixed
curl 3.21-main 8.4.0-r0 None fixed
curl 3.21-main 8.3.0-r0 None fixed
curl 3.21-main 8.1.0-r0 None fixed
curl 3.21-main 8.0.0-r0 None fixed
curl 3.21-main 7.88.0-r0 None fixed
curl 3.21-main 7.87.0-r0 None fixed
curl 3.21-main 7.86.0-r0 None fixed
curl 3.21-main 7.85.0-r0 None fixed
curl 3.21-main 7.84.0-r0 None fixed
curl 3.21-main 7.83.1-r0 None fixed
curl 3.21-main 7.83.0-r0 None fixed
curl 3.21-main 7.79.0-r0 None fixed
curl 3.21-main 7.78.0-r0 None fixed
curl 3.21-main 7.77.0-r0 None fixed
curl 3.21-main 7.76.0-r0 None fixed
curl 3.21-main 7.74.0-r0 None fixed
curl 3.21-main 7.72.0-r0 None fixed
curl 3.21-main 7.71.0-r0 None fixed
curl 3.21-main 7.66.0-r0 None fixed
curl 3.21-main 7.65.0-r0 None fixed
curl 3.21-main 7.64.0-r0 None fixed
curl 3.21-main 7.62.0-r0 None fixed
curl 3.21-main 7.61.1-r0 None fixed
curl 3.21-main 7.61.0-r0 None fixed
curl 3.21-main 7.60.0-r0 None fixed
curl 3.21-main 7.59.0-r0 None fixed
curl 3.21-main 7.57.0-r0 None fixed
curl 3.21-main 7.56.1-r0 None fixed
curl 3.21-main 7.55.0-r0 None fixed
curl 3.21-main 7.54.0-r0 None fixed
curl 3.21-main 7.53.1-r2 None fixed
curl 3.21-main 7.53.0-r0 None fixed
curl 3.21-main 7.52.1-r0 None fixed
curl 3.21-main 7.51.0-r0 None fixed
curl 3.21-main 7.50.3-r0 None fixed
curl 3.21-main 7.50.2-r0 None fixed
curl 3.21-main 7.50.1-r0 None fixed
curl 3.21-main 7.36.0-r0 None fixed
curl 3.20-main 8.14.0-r0 None fixed
curl 3.20-main 8.12.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.11.0-r2 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.11.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.10.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.9.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.7.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.6.0-r0 None fixed
curl 3.20-main 8.5.0-r0 None fixed
curl 3.20-main 8.4.0-r0 None fixed
curl 3.20-main 8.3.0-r0 None fixed
curl 3.20-main 8.1.0-r0 None fixed
curl 3.20-main 8.0.0-r0 None fixed
curl 3.20-main 7.88.0-r0 None fixed
curl 3.20-main 7.87.0-r0 None fixed
curl 3.20-main 7.86.0-r0 None fixed
curl 3.20-main 7.85.0-r0 None fixed
curl 3.20-main 7.84.0-r0 None fixed
curl 3.20-main 7.83.1-r0 None fixed
curl 3.20-main 7.83.0-r0 None fixed
curl 3.20-main 7.79.0-r0 None fixed
curl 3.20-main 7.78.0-r0 None fixed
curl 3.20-main 7.77.0-r0 None fixed
curl 3.20-main 7.76.0-r0 None fixed
curl 3.20-main 7.74.0-r0 None fixed
curl 3.20-main 7.72.0-r0 None fixed
curl 3.20-main 7.71.0-r0 None fixed
curl 3.20-main 7.66.0-r0 None fixed
curl 3.20-main 7.65.0-r0 None fixed
curl 3.20-main 7.64.0-r0 None fixed
curl 3.20-main 7.62.0-r0 None fixed
curl 3.20-main 7.61.1-r0 None fixed
curl 3.20-main 7.61.0-r0 None fixed
curl 3.20-main 7.60.0-r0 None fixed
curl 3.20-main 7.59.0-r0 None fixed
curl 3.20-main 7.57.0-r0 None fixed
curl 3.20-main 7.56.1-r0 None fixed
curl 3.20-main 7.55.0-r0 None fixed
curl 3.20-main 7.54.0-r0 None fixed
curl 3.20-main 7.53.1-r2 None fixed
curl 3.20-main 7.53.0-r0 None fixed
curl 3.20-main 7.52.1-r0 None fixed
curl 3.20-main 7.51.0-r0 None fixed
curl 3.20-main 7.50.3-r0 None fixed
curl 3.20-main 7.50.2-r0 None fixed
curl 3.20-main 7.50.1-r0 None fixed
curl 3.20-main 7.36.0-r0 None fixed
curl 3.19-main 8.14.0-r0 None fixed
curl 3.19-main 8.12.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.11.0-r0 None fixed
curl 3.19-main 8.10.0-r0 None fixed
curl 3.19-main 8.9.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.9.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.7.1-r0 None fixed
curl 3.19-main 8.6.0-r0 None fixed
curl 3.19-main 8.5.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.4.0-r0 None fixed
curl 3.19-main 8.3.0-r0 None fixed
curl 3.19-main 8.1.0-r0 None fixed
curl 3.19-main 8.0.0-r0 None fixed
curl 3.19-main 7.88.0-r0 None fixed
curl 3.19-main 7.87.0-r0 None fixed
curl 3.19-main 7.86.0-r0 None fixed
curl 3.19-main 7.85.0-r0 None fixed
curl 3.19-main 7.84.0-r0 None fixed
curl 3.19-main 7.83.1-r0 None fixed
curl 3.19-main 7.83.0-r0 None fixed
curl 3.19-main 7.79.0-r0 None fixed
curl 3.19-main 7.78.0-r0 None fixed
curl 3.19-main 7.77.0-r0 None fixed
curl 3.19-main 7.76.0-r0 None fixed
curl 3.19-main 7.74.0-r0 None fixed
curl 3.19-main 7.72.0-r0 None fixed
curl 3.19-main 7.71.0-r0 None fixed
curl 3.19-main 7.66.0-r0 None fixed
curl 3.19-main 7.65.0-r0 None fixed
curl 3.19-main 7.64.0-r0 None fixed
curl 3.19-main 7.62.0-r0 None fixed
curl 3.19-main 7.61.1-r0 None fixed
curl 3.19-main 7.61.0-r0 None fixed
curl 3.19-main 7.60.0-r0 None fixed
curl 3.19-main 7.59.0-r0 None fixed
curl 3.19-main 7.57.0-r0 None fixed
curl 3.19-main 7.56.1-r0 None fixed
curl 3.19-main 7.55.0-r0 None fixed
curl 3.19-main 7.54.0-r0 None fixed
curl 3.19-main 7.53.1-r2 None fixed
curl 3.19-main 7.53.0-r0 None fixed
curl 3.19-main 7.52.1-r0 None fixed
curl 3.19-main 7.51.0-r0 None fixed
curl 3.19-main 7.50.3-r0 None fixed
curl 3.19-main 7.50.2-r0 None fixed
curl 3.19-main 7.50.1-r0 None fixed
curl 3.19-main 7.36.0-r0 None fixed