{"id":"CURL-CVE-2025-4947","summary":"QUIC certificate check skip with wolfSSL","details":"libcurl accidentally skips the certificate verification for QUIC connections\nwhen connecting to a host specified as an IP address in the URL. Therefore, it\ndoes not detect impostors or man-in-the-middle attacks.","aliases":["CVE-2025-4947"],"modified":"2026-05-21T06:00:15.086440065Z","published":"2025-05-28T08:00:00Z","database_specific":{"affects":"both","severity":"Medium","package":"curl","URL":"https://curl.se/docs/CVE-2025-4947.json","last_affected":"8.13.0","CWE":{"id":"CWE-295","desc":"Improper Certificate Validation"},"issue":"https://hackerone.com/reports/3150884","award":{"currency":"USD","amount":"2540"},"www":"https://curl.se/docs/CVE-2025-4947.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.8.0"},{"fixed":"8.14.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"4c46e277b2a0c0489de0e0fcb91f315c62f0369c"},{"fixed":"a85f1df4803bbd272905c9e712537b41afeafbd3"}]}],"versions":["8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2025-4947.json"}}],"schema_version":"1.7.5","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}