We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-5025

No QUIC certificate pinning with wolfSSL



Description

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Reserved 2025-05-21 | Published 2025-05-28 | Updated 2025-05-30 | Assigner curl

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status
unaffected

8.13.0
affected

8.12.1
affected

8.12.0
affected

8.11.1
affected

8.11.0
affected

8.10.1
affected

8.10.0
affected

8.9.1
affected

8.9.0
affected

8.8.0
affected

8.7.1
affected

8.7.0
affected

8.6.0
affected

8.5.0
affected

Credits

Hiroki Kurosawa finder

Stefan Eissing remediation developer

References

curl.se/docs/CVE-2025-5025.json (json)

curl.se/docs/CVE-2025-5025.html (www)

hackerone.com/reports/3153497 (issue)

cve.org (CVE-2025-5025)

nvd.nist.gov (CVE-2025-5025)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-5025

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.