JLSEC-2026-423 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the...

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

Siemens SCALANCE and RUGGEDCOM Generation of Predictable Numbers or Identifiers (CVE-2025-10148)

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2025-1351)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1351 advisory. When asked to both use a .netrc file for credentials and to follow HTTPredirects, curl could leak the password used for the first host to thefollowed-to host under certain circumstances. This...

Medium: curl

Issue Overview: When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect...

OPENSUSE-SU-2025:20090-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes bsc1253757 - CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348 Other fixes: - tooloperate: fix...

SUSE-SU-2025:21077-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes bsc1253757 - CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348 Other fixes: - tooloperate: fix...

SUSE-SU-2025:21145-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes bsc1253757 - CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348 Other fixes: - tooloperate: fix...

Security update for curl

This update for curl fixes the following issues: tooloperate: fix return code when --retry is used but not triggered bsc1249367 Security fixes: CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348 Patch Instructions: To...

SUSE-SU-2025:20802-1 Security update for curl

This update for curl fixes the following issues: - tooloperate: fix return code when --retry is used but not triggered bsc1249367 - Security fixes: CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348...

SUSE-SU-2025:20824-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-10148: Predictable WebSocket mask bsc1249348 - Fix the --ftp-pasv option in curl v8.14.1 bsc1246197 - tooloperate: fix return code when --retry is used but not triggere...

Security update for curl

This update for curl fixes the following issues: CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 CVE-2025-10148: Predictable WebSocket mask bsc1249348 Fix the --ftp-pasv option in curl v8.14.1 bsc1246197 tooloperate: fix return code when --retry is used but not triggered...

Fedora: Security Advisory (FEDORA-2025-97ae15dc56)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 42 : curl (2025-97ae15dc56)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-97ae15dc56 advisory. - Fix Out of bounds read for cookie path CVE-2025-9086 - Fix predictable WebSocket mask CVE-2025-10148 Tenable has extracted the preceding descripti...

AZL-67272 CVE-2025-10148 affecting package curl for versions less than 8.8.0-7

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

DEBIAN-CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

CVE-2025-10148

CVE-2025-10148 affects curl’s WebSocket implementation where the 32-bit mask pattern was not updated per outgoing frame as required by the spec. The fixed mask persisted for the entire connection, enabling a malicious server to induce traffic between the two communicating parties that an intermed...

CVE-2025-10148 predictable WebSocket mask

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

CVE-2025-10148 predictable WebSocket mask

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

SUSE SLES12 Security Update : curl (SUSE-SU-2025:03173-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03173-1 advisory. - CVE-2025-9086: bug in path comparison logic when processing cookies can lead to out-of-bounds read in heap buffer bsc1249191. -...