Improper Certificate Validation Affecting libcurl package, versions [8.5.0,8.15.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CONAN-LIBCURL-11499917
- published7 Aug 2025
- disclosed28 May 2025
- creditHiroki Kurosawa
Introduced: 28 May 2025
CVE-2025-5025 (opens in a new tab)How to fix?
Upgrade libcurl to version 8.15.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Certificate Validation through pinning of the server certificate public key for HTTPS transfers. An attacker can impersonate a legitimate server and intercept or manipulate communications by presenting a fraudulent certificate that the client fails to properly verify.
Note:
This only affects users connecting with QUIC for HTTP/3 while the TLS backend is wolfSSL. Beware that while curl versions before 8.5.0 are not strictly considered vulnerable to this flaw, certificate pinning for QUIC with wolfSSL did not work correctly then either. But before then HTTP/3 support was labeled experimental and not presumed to work 100%.
Workaround
For users that cannot upgrade the package to the fixed version it is recommended to:
- Apply the patch to your local version or
- Avoid using HTTP/3 or certificate pinning with curl built to use wolfSSL
PoC
Prepare curl with WolfSSL backend.
curl --http3 https://google.com --pinnedpubkey sha256//ffff
It should result in an error because the specified public key and the certificate's public key are different, but no error occurs. An error occurs when using HTTP/1.1. An error occurs when the TLS backend is OpenSSL or GnuTLS.