{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5025", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2025-05-21T06:25:30.863Z", "datePublished": "2025-05-28T06:29:51.915Z", "dateUpdated": "2025-05-30T16:19:53.775Z"}, "containers": {"cna": {"title": "No QUIC certificate pinning with wolfSSL", "descriptions": [{"lang": "en", "value": "libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-05-28T06:29:51.915Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.13.0", "status": "affected", "lessThanOrEqual": "8.13.0", "versionType": "semver"}, {"version": "8.12.1", "status": "affected", "lessThanOrEqual": "8.12.1", "versionType": "semver"}, {"version": "8.12.0", "status": "affected", "lessThanOrEqual": "8.12.0", "versionType": "semver"}, {"version": "8.11.1", "status": "affected", "lessThanOrEqual": "8.11.1", "versionType": "semver"}, {"version": "8.11.0", "status": "affected", "lessThanOrEqual": "8.11.0", "versionType": "semver"}, {"version": "8.10.1", "status": "affected", "lessThanOrEqual": "8.10.1", "versionType": "semver"}, {"version": "8.10.0", "status": "affected", "lessThanOrEqual": "8.10.0", "versionType": "semver"}, {"version": "8.9.1", "status": "affected", "lessThanOrEqual": "8.9.1", "versionType": "semver"}, {"version": "8.9.0", "status": "affected", "lessThanOrEqual": "8.9.0", "versionType": "semver"}, {"version": "8.8.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "semver"}, {"version": "8.7.1", "status": "affected", "lessThanOrEqual": "8.7.1", "versionType": "semver"}, {"version": "8.7.0", "status": "affected", "lessThanOrEqual": "8.7.0", "versionType": "semver"}, {"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}, {"version": "8.5.0", "status": "affected", "lessThanOrEqual": "8.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-5025.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-5025.html", "name": "www"}, {"url": "https://hackerone.com/reports/3153497", "name": "issue"}], "credits": [{"lang": "en", "value": "Hiroki Kurosawa", "type": "finder"}, {"lang": "en", "value": "Stefan Eissing", "type": "remediation developer"}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/05/28/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-28T08:03:57.908Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T16:19:34.842150Z", "id": "CVE-2025-5025", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T16:19:53.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/05/28/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-28T08:03:57.908Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-5025", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T16:19:34.842150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T16:19:16.382Z"}}], "cna": {"title": "No QUIC certificate pinning with wolfSSL", "credits": [{"lang": "en", "type": "finder", "value": "Hiroki Kurosawa"}, {"lang": "en", "type": "remediation developer", "value": "Stefan Eissing"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.13.0", "versionType": "semver", "lessThanOrEqual": "8.13.0"}, {"status": "affected", "version": "8.12.1", "versionType": "semver", "lessThanOrEqual": "8.12.1"}, {"status": "affected", "version": "8.12.0", "versionType": "semver", "lessThanOrEqual": "8.12.0"}, {"status": "affected", "version": "8.11.1", "versionType": "semver", "lessThanOrEqual": "8.11.1"}, {"status": "affected", "version": "8.11.0", "versionType": "semver", "lessThanOrEqual": "8.11.0"}, {"status": "affected", "version": "8.10.1", "versionType": "semver", "lessThanOrEqual": "8.10.1"}, {"status": "affected", "version": "8.10.0", "versionType": "semver", "lessThanOrEqual": "8.10.0"}, {"status": "affected", "version": "8.9.1", "versionType": "semver", "lessThanOrEqual": "8.9.1"}, {"status": "affected", "version": "8.9.0", "versionType": "semver", "lessThanOrEqual": "8.9.0"}, {"status": "affected", "version": "8.8.0", "versionType": "semver", "lessThanOrEqual": "8.8.0"}, {"status": "affected", "version": "8.7.1", "versionType": "semver", "lessThanOrEqual": "8.7.1"}, {"status": "affected", "version": "8.7.0", "versionType": "semver", "lessThanOrEqual": "8.7.0"}, {"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-5025.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-5025.html", "name": "www"}, {"url": "https://hackerone.com/reports/3153497", "name": "issue"}], "descriptions": [{"lang": "en", "value": "libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-05-28T06:29:51.915Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5025", "state": "PUBLISHED", "dateUpdated": "2025-05-30T16:19:53.775Z", "dateReserved": "2025-05-21T06:25:30.863Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2025-05-28T06:29:51.915Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing."}, {"lang": "es", "value": "libcurl admite la fijaci\u00f3n de la clave p\u00fablica del certificado del servidor para transferencias HTTPS. Debido a una omisi\u00f3n, esta comprobaci\u00f3n no se realiza al conectar con QUIC para HTTP/3, cuando el backend TLS es wolfSSL. La documentaci\u00f3n indica que la opci\u00f3n funciona con wolfSSL, pero no especifica que no funciona para QUIC ni HTTP/3. Dado que la fijaci\u00f3n permite que la transferencia se realice correctamente si la fijaci\u00f3n es correcta, los usuarios podr\u00edan conectarse sin darse cuenta a un servidor falso."}], "id": "CVE-2025-5025", "lastModified": "2025-05-30T17:15:30.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-28T07:15:24.910", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-5025.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-5025.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://hackerone.com/reports/3153497"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/05/28/5"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "curl: libcurl: QUIC Certificate Pinning Bypass", "id": "2368888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368888"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.", "A flaw was found in libcurl. This vulnerability can allow an attacker to connect to an imposter server via HTTP/3 QUIC connections when using the wolfSSL TLS backend, bypassing certificate pinning verification.\nThis issue only affects instances of curl and libcurl using WolfSSL as the backend TLS library."], "name": "CVE-2025-5025", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Not affected", "package_name": "confidential-compute-attestation-tech-preview/trustee-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "snphost", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "snphost", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Not affected", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2025-05-28T06:29:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-5025\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5025\nhttps://curl.se/docs/CVE-2025-5025.html\nhttps://curl.se/docs/CVE-2025-5025.json\nhttps://hackerone.com/reports/3153497"], "statement": "This vulnerability doesn't impact any Red Hat supported curl versions, as Red Hat doesn't ship the WolfSSL TLS library in any product.", "threat_severity": "Moderate"}