12 matches found
CVE-2025-13034
When using CURLOPTPINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper chec...
Siemens SIMATIC S7-1500 Improper Certificate Validation (CVE-2024-2379)
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. This plugin only works wi...
Security update for curl
This update for curl fixes the following issues: Update to version 8.14.1 jscPED-13055, jscPED-13056. Security issues fixed: CVE-2025-0665: eventfd double close can cause libcurl to act unreliably bsc1236589. CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks...
CVE-2025-5025 No QUIC certificate pinning with wolfSSL
libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...
CVE-2025-5025
CVSS/summary: CVE-2025-5025 affects libcurl’s server public key pinning for HTTPS when using QUIC/HTTP/3 with wolfSSL as TLS backend. The vulnerability arises from an omission where the pinning check is not performed for QUIC/HTTP/3 connections, even though documentation states the feature works ...
curl -- Multiple vulnerabilities
curl security team reports: CVE-2025-5025: No QUIC certificate pinning with wolfSSL CVE-2025-4947: QUIC certificate check skip with wolfSSL...
curl: CVE-2025-5025: No QUIC certificate pinning with wolfSSL
Summary: When using wolfSSL as the TLS backend, certificate pinning does not work when using HTTP/3. The code should invoke wsslverifypinned, but it has not been implemented. Affected version curl -V WARNING: this libcurl is Debug-enabled, do not use in production curl 8.13.0 x8664-pc-linux-gnu...
curl: CVE-2025-4947: QUIC certificate check skip with wolfSSL
Summary: When using WolfSSL as the TLS backend, there is an issue where the CN or SAN in the certificate is not verified when connecting to an IP address over HTTP/3. wolfSSLX509checkhost is only called when peer-sni is not NULL. However, when an IP address is specified, peer-sni is NULL, so the...
Security update for curl
This update for curl fixes the following issues: Security issues fixed: CVE-2024-7264: ASN.1 date parser overread bsc1228535 CVE-2024-6197: Freeing stack buffer in utf8asn1str bsc1227888 CVE-2024-2379: QUIC certificate check bypass with wolfSSL bsc1221666 CVE-2024-2466: TLS certificate check bypa...
SUSE-SU-2025:20029-1 Security update for curl
This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread bsc1228535 - CVE-2024-6197: Freeing stack buffer in utf8asn1str bsc1227888 - CVE-2024-2379: QUIC certificate check bypass with wolfSSL bsc1221666 - CVE-2024-2466: TLS certificate...
[slackware-security] curl
New curl packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/curl-8.7.1-i586-1slack15.0.txz: Upgraded. This release fixes the following security issues: TLS certificate check bypass with mbedTLS...
Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...