Bru Rom

**Name of the Vulnerable Software and Affected Versions** curl and libcurl versions prior to 7.50.1 **Description** The issue allows remote attackers to bypass intended restrictions by resuming a TLS session even when the client certificate has changed. This is because libcurl would attempt to resume a TLS session even if the client certificate had changed, which is unacceptable since a server may skip the client certificate check on resume and use the old identity established by the previous certificate. libcurl supports the use of TLS session id/ticket to resume previous TLS sessions, which can be used to speed up subsequent TLS handshakes. **Recommendations** For versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. As a temporary workaround, consider disabling TLS session resumption until a patch is available. Restrict access to sensitive resources that rely on client certificate authentication to minimize the risk of exploitation. Avoid using TLS session id/ticket in the affected libcurl versions until the issue is resolved.