CVE-2025-5025

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)

Description The issue arises from an omission in libcurl's support for pinning the server certificate public key for HTTPS transfers when using QUIC for HTTP/3 with the wolfSSL TLS backend. Although the documentation suggests that this option works with wolfSSL, it fails to specify that the check is not performed in the context of QUIC and HTTP/3. As a result, users may unwittingly connect to an impostor server without noticing, since the transfer will succeed if the pin is fine.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

AZL-62038

BDU:2025-10233

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2025-5025

ECHO-FA7F-8ECF-75E7

JLSEC-2026-433

OPENSUSE-SU-2025:15176-1

SUSE-SU-2025:03198-1

SUSE-SU-2025:20675-1

SUSE-SU-2025_03198-1

Affected Products

Astra Linux

Suse

Libcurl

CVE-2025-5025

Weakness Enumeration

Related Identifiers

Affected Products

References · 304