Curl 8.5.0 < 8.14.0 Improper Certificate Validation (CVE-2025-5025)

The version of Curl installed on the remote host is is missing security update. It is, therefore, affected by a improper certificate validation vulnerability. - libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when...

SUSE CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

No QUIC certificate pinning with wolfSSL

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation through pinning of the server certificate public key for HTTPS transfers. An attacker can impersonate a legitimate server and intercept or manipulate communications by presenting a fraudulent certificate...

ALPINE-CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

DEBIAN-CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

libcurl 安全漏洞

libcurl is a free and easy-to-use client-side URL transport library from the cURL open source. A security vulnerability exists in libcurl that stems from QUIC and HTTP/3 connections that do not perform certificate public key fixing checks, which could lead to a man-in-the-middle attack...

USN-7427-1 dotnet8, dotnet9 vulnerability

James Newton-King discovered that .NET did not properly limit resource allocation when handling certain HTTP/3 requests. An attacker could possibly use this issue to cause a denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling very large buffered HTTP/3 header values. Remediation Upgrade Microsoft.AspNetCore.App.Runtime.osx-arm64 to version 8.0.15, 9.0.4 or higher. References - GitHub Commit -...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...

Security update for haproxy

This update for haproxy fixes the following issues: Update to version 2.8.11+git0.01c1056a4: VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server bsc1233973 BUG/MINOR: cfgparse-listen: fix option httpslog overrid...

The vulnerability of the QUIC and HTTP/3 implementations in the C language package NGTCP2 lies in the improper implementation of control flow management, allowing a attacker to execute arbitrary code.

The vulnerability of the QUIC and HTTP/3 implementations in the C language package NGTCP2 is related to the implementation of incorrect flow control. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

PT-2024-31607 · H2O · H2O

Name of the Vulnerable Software and Affected Versions: h2o versions prior to the version containing commit 1ed32b2 Description: The issue affects h2o, an HTTP server that supports HTTP/1.x, HTTP/2, and HTTP/3. When configured as a reverse proxy, h2o may crash due to an assertion failure if HTTP/3...

dotnet: kestrel: closing an HTTP/3 stream can cause a race condition and lead to remote code execution

A flaw was found in dotnet. When closing an HTTP/3 stream while application code is writing to the response body, a race condition can cause a use-after-free...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free that could allow remote code executi...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free that could allow remote code...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free that could allow remote code...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-x86 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free that could allow remote code execution...