SB2025052805 - Multiple vulnerabilities in cURL

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2025-5025)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to libcurl does not perform pinning of the server certificate public key for HTTPS transfers when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. A remote attacker can perform Man-in-the-middle (MitM) attack and track the victim into connecting to a malicious server.

2) Improper Certificate Validation (CVE-ID: CVE-2025-4947)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing certificate validation for QUIC connections when connecting to a host specified as an IP address in the URL. A remote attacker can perform Man-in-the-middle (MitM) attack.

Note, successful exploitation of the vulnerability requires wolfSSL to be used as the TLS backend for QUIC to trigger.

Remediation

Install update from vendor's website.

References

• https://curl.se/docs/CVE-2025-5025.html
• https://curl.se/docs/CVE-2025-4947.html