{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10148", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2025-09-09T03:45:41.908Z", "datePublished": "2025-09-12T05:10:37.469Z", "dateUpdated": "2025-09-12T17:17:12.815Z"}, "containers": {"cna": {"title": "predictable WebSocket mask", "descriptions": [{"lang": "en", "value": "curl's websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-09-12T05:10:37.469Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-340 Generation of Predictable Numbers or Identifiers"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.15.0", "status": "affected", "lessThanOrEqual": "8.15.0", "versionType": "semver"}, {"version": "8.14.1", "status": "affected", "lessThanOrEqual": "8.14.1", "versionType": "semver"}, {"version": "8.14.0", "status": "affected", "lessThanOrEqual": "8.14.0", "versionType": "semver"}, {"version": "8.13.0", "status": "affected", "lessThanOrEqual": "8.13.0", "versionType": "semver"}, {"version": "8.12.1", "status": "affected", "lessThanOrEqual": "8.12.1", "versionType": "semver"}, {"version": "8.12.0", "status": "affected", "lessThanOrEqual": "8.12.0", "versionType": "semver"}, {"version": "8.11.1", "status": "affected", "lessThanOrEqual": "8.11.1", "versionType": "semver"}, {"version": "8.11.0", "status": "affected", "lessThanOrEqual": "8.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-10148.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-10148.html", "name": "www"}, {"url": "https://hackerone.com/reports/3330839", "name": "issue"}], "credits": [{"lang": "en", "value": "Calvin Ruocco (Vector Informatik GmbH)", "type": "finder"}, {"lang": "en", "value": "Daniel Stenberg", "type": "remediation developer"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-12T17:16:46.486840Z", "id": "CVE-2025-10148", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T17:17:12.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10148", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-12T17:16:46.486840Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T17:17:07.462Z"}}], "cna": {"title": "predictable WebSocket mask", "credits": [{"lang": "en", "type": "finder", "value": "Calvin Ruocco (Vector Informatik GmbH)"}, {"lang": "en", "type": "remediation developer", "value": "Daniel Stenberg"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.15.0", "versionType": "semver", "lessThanOrEqual": "8.15.0"}, {"status": "affected", "version": "8.14.1", "versionType": "semver", "lessThanOrEqual": "8.14.1"}, {"status": "affected", "version": "8.14.0", "versionType": "semver", "lessThanOrEqual": "8.14.0"}, {"status": "affected", "version": "8.13.0", "versionType": "semver", "lessThanOrEqual": "8.13.0"}, {"status": "affected", "version": "8.12.1", "versionType": "semver", "lessThanOrEqual": "8.12.1"}, {"status": "affected", "version": "8.12.0", "versionType": "semver", "lessThanOrEqual": "8.12.0"}, {"status": "affected", "version": "8.11.1", "versionType": "semver", "lessThanOrEqual": "8.11.1"}, {"status": "affected", "version": "8.11.0", "versionType": "semver", "lessThanOrEqual": "8.11.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-10148.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-10148.html", "name": "www"}, {"url": "https://hackerone.com/reports/3330839", "name": "issue"}], "descriptions": [{"lang": "en", "value": "curl's websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-340 Generation of Predictable Numbers or Identifiers"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-09-12T05:10:37.469Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10148", "state": "PUBLISHED", "dateUpdated": "2025-09-12T17:17:12.815Z", "dateReserved": "2025-09-09T03:45:41.908Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2025-09-12T05:10:37.469Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "curl's websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy."}], "id": "CVE-2025-10148", "lastModified": "2025-09-12T18:15:33.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-12T06:15:40.020", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-10148.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-10148.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://hackerone.com/reports/3330839"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Received"}

{"bugzilla": {"description": "curl: predictable WebSocket mask", "id": "2394749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394749"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-340", "details": ["A flaw was found in curl. The use of a predictable WebSocket mask pattern allows a malicious server to induce traffic that an intermediary proxy (whether configured or transparent) will misinterpret as a standard HTTP request. This confusion leads to a cache poisoning attack, where the proxy stores the server's malicious content and serves it to all users of that proxy."], "name": "CVE-2025-10148", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Not affected", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2025-09-12T05:10:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10148\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10148\nhttps://curl.se/docs/CVE-2025-10148.html\nhttps://curl.se/docs/CVE-2025-10148.json\nhttps://hackerone.com/reports/3330839"], "threat_severity": "Low"}