CVE-2025-13034

Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)

Description When utilizing the CURLOPT PINNEDPUBLICKEY option in libcurl or the --pinnedpubkey option with the curl tool, the software should verify the server certificate's public key to confirm the peer's identity. A condition existed where this check was bypassed, allowing connections without proper verification and potentially enabling connections to an impostor. This occurred specifically when using QUIC with ngtcp2 built to use GnuTLS, and when standard certificate verification was explicitly disabled. The vulnerable component is the public key verification process when using pinned public keys.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.