Unsynchronized access to shared data in a multithreaded context in cURL - CVE-2025-14017
Published: January 7, 2026
Vulnerability identifier: #VU121025
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-14017
CWE-ID: CWE-567
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when performing multithreaded LDAPS transfers (LDAP over TLS) with libcurl. Changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. For example, disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well, leading to a MitM attacks against other websites.
How to mitigate CVE-2025-14017
Install updates from vendor's website.