Main Vulnerability Database Vulnerabilities #VU118723

Path traversal in wcurl and cURL - CVE-2025-11563

Published: November 24, 2025

Vulnerability identifier: #VU118723

CSH Severity:

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

CVE-ID: CVE-2025-11563

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
wcurl
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing percent-encoded slashes (/ or \\) in wcurl. A remote attacker can trick the application into saving the output file outside of the current directory without the user explicitly asking for it.

Remediation

Install updates from vendor's website.

External links

https://curl.se/docs/CVE-2025-11563.html
https://github.com/curl/wcurl/commit/524f7e733237cd26553dfd
https://github.com/curl/curl/commit/fb0c014e30e5f4de7aa0d566c

Path traversal in wcurl and cURL - CVE-2025-11563

Description

Remediation

External links

Please verify you're human