QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-10148

Back to search

CVE-2025-10148

Published: Sep 12, 2025

Modified: Nov 18, 2025

PUBLISHED

Description

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

VendorProductVersions

curl

curl

affected
8.15.0 - <= 8.15.0
affected
8.14.1 - <= 8.14.1
affected
8.14.0 - <= 8.14.0
affected
8.13.0 - <= 8.13.0
affected
8.12.1 - <= 8.12.1

+3 more versions

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now