{"id":"CURL-CVE-2025-14017","summary":"broken TLS options for threaded LDAPS","details":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.","aliases":["CVE-2025-14017"],"modified":"2026-04-25T20:30:10.665655Z","published":"2026-01-07T08:00:00Z","database_specific":{"award":{"amount":"2540","currency":"USD"},"CWE":{"id":"CWE-567","desc":"Unsynchronized Access to Shared Data in a Multi-threaded Context"},"last_affected":"8.17.0","www":"https://curl.se/docs/CVE-2025-14017.html","severity":"Medium","URL":"https://curl.se/docs/CVE-2025-14017.json","package":"curl","affects":"lib"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.17.0"},{"fixed":"8.18.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34"},{"fixed":"39d1976b7f709a516e3243338ebc0443bdd8d56d"}]}],"versions":["8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:30:10Z","source":"https://curl.se/docs/CURL-CVE-2025-14017.json","vanir_signatures":[{"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d","id":"CURL-CVE-2025-14017-28146b14","digest":{"length":8505,"function_hash":"37413675167135937267792190267466435311"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/ldap.c","function":"ldap_do"}},{"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d","id":"CURL-CVE-2025-14017-8cb6942c","digest":{"line_hashes":["291066512972280488307819903431993511202","335616671601391784408763749425491255102","15332393221871824012294322508883110483","269595456889441104059461341461282194900","276615617976952633141037312128738047727","163614650112109509474010240133925201841","281233309491075572802283826301602968374","14142371141113040174230590269486963662","80887541070283731735738379837659782175","120914942518298191687399908592158931202","93641439614167132758334721003857430320","118210159464298990742303814155827108681","165975699607295818890105673247800433358","19967447634158104553406852286906696124","140185581814792422821856040848954572599","315643603779251402706589703234131367150","77423940815346791454775608675517974463","320597090553420297191630722033847384339","212018246941482313252249547290288013567","95885357128481937551209278134956402850","282160757975273296493094105707377141127","117193982966611066631718089743643124438","339904193100834606227603711318172058858","318629454668127129823685974022878197029","275081019603276673367816076513961505174","295569135545302919915932377040749070381","259418389924122707676190241073862100530","256685216033499453390440332046132908337","318215904910732804034858650009431276630","42445011043620067568904673483033680825","18468973848617223247640457495460008409","13684758176737454538656927307832655890","215558187170538087680595887746612224749","239301495187817853611518132056467549382","169751027945365372508360952543330733479","264117732922448541323229768772369219671","160858660696129734475924792087462839269","249498687208425847296496573306379814541","244653012810279422055473875852913854530","117193982966611066631718089743643124438","249555951262227619129170857755038143003","161024972162410073878767851951891109666","194269265092435364072190133701773270215","109142120982148421629891383061899265711","23951645517238640387132132870398035206","187059438104196369548791994548420436954","179265822852950346100333883858837625157","115407509726540468409710278701113586657","260076220841979353149925267667204103755","259418389924122707676190241073862100530","256685216033499453390440332046132908337","318215904910732804034858650009431276630","194675660771287079869313910475749467715","67243697143603151168811820865342706320","226784787181357359076499561195335535981","18345432228180760147585764606044986151"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"lib/ldap.c"}}]}}],"schema_version":"1.7.5","credits":[{"name":"Stanislav Fort (Aisle Research)","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}