Main Vulnerability Database Vulnerabilities #VU115137

#VU115137 Use of insufficiently random values in cURL - CVE-2025-10148

Published: September 10, 2025

Vulnerability identifier: #VU115137

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-10148

CWE-ID: CWE-330

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to perform cache poisoning.

The vulnerability exists due to the websocket code does not update the 32 bit mask pattern for each new outgoing frame as the specification says.Instead it used a fixed mask that persisted and was used throughout the entire connection. As a result, a malicious server can induce traffic between the two communicating parties that can be interpreted by an involved proxy and poison cached content.

Remediation

Install updates from vendor's website.

External links

https://curl.se/docs/CVE-2025-10148.html

#VU115137 Use of insufficiently random values in cURL - CVE-2025-10148

Description

Remediation

External links

Please verify you're human