PT-2025-23063 · Libcurl+2 · Libcurl+2

Hiroki Kurosawa

Publicado

2025-05-28

Atualizado

2026-05-18

CVE-2025-5025

CVSS v2.0

6.4

Média

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)

Description The issue arises from an omission in libcurl's support for pinning the server certificate public key for HTTPS transfers when using QUIC for HTTP/3 with the wolfSSL TLS backend. Although the documentation suggests that this option works with wolfSSL, it fails to specify that the check is not performed in the context of QUIC and HTTP/3. As a result, users may unwittingly connect to an impostor server without noticing, since the transfer will succeed if the pin is fine.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295

Identificadores relacionados

AZL-62038

BDU:2025-10233

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2025-5025

ECHO-FA7F-8ECF-75E7

JLSEC-2026-433

OPENSUSE-SU-2025:15176-1

SUSE-SU-2025:03198-1

SUSE-SU-2025:20675-1

SUSE-SU-2025_03198-1

Produtos afetados

Astra Linux

Suse

Libcurl

PT-2025-23063 · Libcurl+2 · Libcurl+2

CVE-2025-5025

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 304