CVE-2025-13034

EUVD-2026-1572

08.01.2026, 10:15

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certificate
to verify the peer.

This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
haxx	curl	8.8.0 ≤ 𝑥 < 8.18.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

curl

bookworm	7.88.1-10+deb12u14 not-affected
bookworm (security)	7.88.1-10+deb12u5 fixed
bullseye	7.74.0-1.3+deb11u13 not-affected
bullseye (security)	7.74.0-1.3+deb11u16 fixed
forky	8.18.0-2 fixed
sid	8.19.0~rc2-2 fixed
trixie	no-dsa

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

Vulnerability Media Exposure

[GERMAN] cURL: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder vertrauliche Informationen offenzulegen.
Published: 2026-01-06T23:00:00+00:00

References

https://curl.se/docs/CVE-2025-13034.html

https://curl.se/docs/CVE-2025-13034.json