PT-2025-37027 · Curl+4 · Curl+4

Calvin Ruocco

Published

2025-01-01

Updated

2026-06-05

CVE-2025-10148

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: curl (affected versions not specified)

Description: The websocket code in curl did not update the 32-bit mask pattern for each new outgoing frame, as required by the specification. Instead, a fixed mask was used throughout the entire connection. This predictable mask pattern could allow a malicious server to induce traffic between communicating parties that a proxy server might interpret as genuine HTTP traffic, potentially poisoning its cache and serving malicious content to users.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-340

Related Identifiers

AZL-67082

AZL-67272

AZL-67290

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2025-10148

ECHO-0BD8-FE65-A70F

JLSEC-2026-423

OPENSUSE-SU-2025:15590-1

OPENSUSE-SU-2025:20090-1

RHSA-2026:6893

SUSE-SU-2025:03173-1

SUSE-SU-2025:03198-1

SUSE-SU-2025:03267-1

SUSE-SU-2025:03268-1

SUSE-SU-2025:20802-1

SUSE-SU-2025:20824-1

SUSE-SU-2025:21077-1

SUSE-SU-2025:21145-1

SUSE-SU-2025_03173-1

SUSE-SU-2025_03198-1

SUSE-SU-2025_03267-1

SUSE-SU-2025_03268-1

SUSE-SU-2025_21145-1

USN-8062-1

Affected Products

Debian

Linuxmint

Suse

Ubuntu

Curl

PT-2025-37027 · Curl+4 · Curl+4

CVE-2025-10148

Weakness Enumeration

Related Identifiers

Affected Products

References · 334