CVE-2025-10148

12.09.2025, 06:15

curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
curl	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

curl

bullseye	7.74.0-1.3+deb11u13 not-affected
trixie	no-dsa
bookworm	ignored
bullseye (security)	7.74.0-1.3+deb11u15 fixed
bookworm (security)	vulnerable
forky	vulnerable
sid	8.16.0-1 fixed

Vulnerability Media Exposure

[GERMAN] cURL: Mehrere Schwachstellen ermöglichen Manipulation von Dateien
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um Dateien zu manipulieren.
Published: 2025-09-09T22:00:00+00:00

References

https://curl.se/docs/CVE-2025-10148.html

https://curl.se/docs/CVE-2025-10148.json

https://hackerone.com/reports/3330839