CVE-2025-0665 Affecting curl package, versions <8.12.0-r0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-CHAINGUARDLATEST-CURL-8689951
published7 Feb 2025
disclosed5 Feb 2025

Report a new vulnerability Found a mistake?

Introduced: 5 Feb 2025

NewCVE-2025-0665 (opens in a new tab)

How to fix?

Upgrade Chainguard curl to version 8.12.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

References

https://curl.se/docs/CVE-2025-0665.html
https://curl.se/docs/CVE-2025-0665.json
https://hackerone.com/reports/2954286
http://www.openwall.com/lists/oss-security/2025/02/05/2
http://www.openwall.com/lists/oss-security/2025/02/05/5