CVE-2025-5025

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
curlCNA
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
not-affected
bookworm
7.88.1-10+deb12u12
not-affected
bullseye (security)
7.74.0-1.3+deb11u14
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Vulnerability Media Exposure
References
https://curl.se/docs/CVE-2025-5025.html
https://curl.se/docs/CVE-2025-5025.json
https://hackerone.com/reports/3153497
http://www.openwall.com/lists/oss-security/2025/05/28/5