Home

Description

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

PUBLISHED Reserved 2025-05-21 | Published 2025-05-28 | Updated 2025-05-30 | Assigner curl

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status
unaffected

8.13.0 (semver)
affected

8.12.1 (semver)
affected

8.12.0 (semver)
affected

8.11.1 (semver)
affected

8.11.0 (semver)
affected

8.10.1 (semver)
affected

8.10.0 (semver)
affected

8.9.1 (semver)
affected

8.9.0 (semver)
affected

8.8.0 (semver)
affected

8.7.1 (semver)
affected

8.7.0 (semver)
affected

8.6.0 (semver)
affected

8.5.0 (semver)
affected

Credits

Hiroki Kurosawa finder

Stefan Eissing remediation developer

References

www.openwall.com/lists/oss-security/2025/05/28/5

curl.se/docs/CVE-2025-5025.json (json)

curl.se/docs/CVE-2025-5025.html (www)

hackerone.com/reports/3153497 (issue)

cve.org (CVE-2025-5025)

nvd.nist.gov (CVE-2025-5025)

Download JSON