Main Vulnerability Database Vulnerabilities #VU109884

#VU109884 Improper Certificate Validation in cURL - CVE-2025-4947

Published: May 28, 2025

Vulnerability identifier: #VU109884

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-4947

CWE-ID: CWE-295

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing certificate validation for QUIC connections when connecting to a host specified as an IP address in the URL. A remote attacker can perform Man-in-the-middle (MitM) attack.

Note, successful exploitation of the vulnerability requires wolfSSL to be used as the TLS backend for QUIC to trigger.

Remediation

Install updates from vendor's website.

External links

https://curl.se/docs/CVE-2025-4947.html

#VU109884 Improper Certificate Validation in cURL - CVE-2025-4947

Description

Remediation

External links

Please verify you're human