#VU115137 Use of insufficiently random values in cURL - CVE-2025-10148
Vulnerability identifier: #VU115137
Vulnerability risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-330
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
cURL
Client/Desktop applications /
Other client software
Vendor: curl.haxx.se
Description
The vulnerability allows a remote attacker to perform cache poisoning.
The vulnerability exists due to the websocket code does not update the 32 bit mask pattern for each new outgoing frame as the specification says.Instead it used a fixed mask that persisted and was used throughout the entire connection. As a result, a malicious server can induce traffic between the two communicating parties that can be interpreted by an involved proxy and poison cached content.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
cURL: 7.86.0 - 8.15.0
External links
https://curl.se/docs/CVE-2025-10148.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
