Main Vulnerability Database Vulnerabilities #VU118723

#VU118723 Path traversal in wcurl and cURL - CVE-2025-11563

Published: November 24, 2025

Vulnerability identifier: #VU118723

Vulnerability risk:

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

CVE-ID: CVE-2025-11563

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
wcurl
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing percent-encoded slashes (/ or \\) in wcurl. A remote attacker can trick the application into saving the output file outside of the current directory without the user explicitly asking for it.

Remediation

Install updates from vendor's website.

External links

https://curl.se/docs/CVE-2025-11563.html
https://github.com/curl/wcurl/commit/524f7e733237cd26553dfd
https://github.com/curl/curl/commit/fb0c014e30e5f4de7aa0d566c

#VU118723 Path traversal in wcurl and cURL - CVE-2025-11563

Description

Remediation

External links

Please verify you're human