Back to search
CVE-2025-5025
Published: May 28, 2025
Modified: May 30, 2025
PUBLISHED
Description
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
| Vendor | Product | Versions |
|---|---|---|
curl | curl | affected 8.13.0 - <= 8.13.0affected 8.12.1 - <= 8.12.1affected 8.12.0 - <= 8.12.0affected 8.11.1 - <= 8.11.1affected 8.11.0 - <= 8.11.0+9 more versions |
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now