Curl · Curl · CVE-2025-10148
Name of the Vulnerable Software and Affected Versions:
curl (affected versions not specified)
Description:
The websocket code in curl did not update the 32-bit mask pattern for each new outgoing frame, as required by the specification. Instead, a fixed mask was used throughout the entire connection. This predictable mask pattern could allow a malicious server to induce traffic between communicating parties that a proxy server might interpret as genuine HTTP traffic, potentially poisoning its cache and serving malicious content to users.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.