Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-15224

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Published

2026-01-08T10:15:47.207

Last Modified

2026-01-20T14:47:52.710

Status

Analyzed

Source

2499f714-1537-4658-8207-48ae4bb9eae9

Severity

CVSSv3.1: 3.1 (LOW)

Weaknesses

Type: Secondary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 8.18.0	Yes

References

https://curl.se/docs/CVE-2025-15224.html Vendor Advisory, Patch (2499f714-1537-4658-8207-48ae4bb9eae9)
https://curl.se/docs/CVE-2025-15224.json Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://hackerone.com/reports/3480925 Exploit, Third Party Advisory, Issue Tracking (2499f714-1537-4658-8207-48ae4bb9eae9)
http://www.openwall.com/lists/oss-security/2026/01/07/7 Mailing List, Third Party Advisory, Patch (af854a3a-2127-422b-91ae-364da2661108)