Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-5025

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Published

2025-05-28T07:15:24.910

Last Modified

2025-07-30T19:41:37.987

Status

Analyzed

Source

2499f714-1537-4658-8207-48ae4bb9eae9

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 8.14.0	Yes

References

https://curl.se/docs/CVE-2025-5025.html Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://curl.se/docs/CVE-2025-5025.json Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://hackerone.com/reports/3153497 Exploit, Issue Tracking, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
http://www.openwall.com/lists/oss-security/2025/05/28/5 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)