CVE-2025-11563 | THREATINT

Description

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

PUBLISHED Reserved 2025-10-09 | Published 2026-02-25 | Updated 2026-02-25 | Assigner curl

Problem types

CWE-35 Path Traversal

Product status

Default status

unaffected

8.17.0 (semver)

affected

8.16.0 (semver)

affected

8.15.0 (semver)

affected

8.14.1 (semver)

affected

8.14.0 (semver)

affected

Credits

Stanislav Fort (Aisle Research) finder

Samuel Henrique remediation developer

Sergio Durigan Junior remediation developer

Xi Ruoyao remediation developer

References

www.openwall.com/lists/oss-security/2025/11/04/1

lists.debian.org/debian-release/2025/11/msg00504.html release-notes

curl.se/docs/CVE-2025-11563.json (json)

curl.se/docs/CVE-2025-11563.html (www)

cve.org (CVE-2025-11563)

nvd.nist.gov (CVE-2025-11563)

Download JSON