{"id":"CURL-CVE-2025-5025","summary":"No QUIC certificate pinning with wolfSSL","details":"libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.","aliases":["CVE-2025-5025"],"modified":"2025-05-28T08:10:29Z","published":"2025-05-28T08:00:00Z","database_specific":{"award":{"currency":"USD","amount":"2540"},"package":"curl","issue":"https://hackerone.com/reports/3153497","CWE":{"id":"CWE-295","desc":"Improper Certificate Validation"},"affects":"both","last_affected":"8.13.0","URL":"https://curl.se/docs/CVE-2025-5025.json","severity":"Medium","www":"https://curl.se/docs/CVE-2025-5025.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.5.0"},{"fixed":"8.14.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"5f78cf503c786a1d48d13528dde038bccfa6c67c"},{"fixed":"e1f65937a96a451292e9231339672797da86ecc5"}]}],"versions":["8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2025-5025-219c4e0f","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"threshold":0.9,"line_hashes":["328535129410183437562957898973881791781","180781890156043256218487831298191102995","285974129629105676882781803210090083756","254717071962375362783950884203908060508","286179645271025820010706787947250101991","227757139270925710304655007857435960963","18352228180198020919291693099374205450","28380090232625837061501378457299474009","261106116514411988873034566766241964142","120909023730509951889998663196030158874","1535221693443447621189047525432523033","67420959791795684234644295001091237450","180276100295828073298606632009816381168","221585592054420396123102823970016034346","286383682614528935190138450464725223179"]},"signature_type":"Line","target":{"file":"lib/vtls/wolfssl.c"}},{"id":"CURL-CVE-2025-5025-3a886e20","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"threshold":0.9,"line_hashes":["148486550461138867129576406502765894046","222421913779729837568396885667412139041","4279076295803158960781588172455060495","106119213793413372079166082457208727378"]},"signature_type":"Line","target":{"file":"lib/vquic/vquic-tls.c"}},{"id":"CURL-CVE-2025-5025-3b6161d2","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"function_hash":"312124394985011906056469256849086812336","length":2442},"signature_type":"Function","target":{"function":"wssl_connect","file":"lib/vtls/wolfssl.c"}},{"id":"CURL-CVE-2025-5025-507e710e","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"threshold":0.9,"line_hashes":["90476515338326768540026202697810299850","166699687223556424152768074499385923274","193297938239563647670720674045909070170","169969422080023593123148779863375297420","7586545564511708955992547475526418314","153512904584612614227244782181266503899","47410469342078373265238197047156043202","206926185032174781312143066095604816535","318001946720154455099339586774752108406"]},"signature_type":"Line","target":{"file":"lib/vtls/wolfssl.h"}},{"id":"CURL-CVE-2025-5025-f69c1b13","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"function_hash":"7265168506872776594781231797554041452","length":1613},"signature_type":"Function","target":{"function":"wssl_verify_pinned","file":"lib/vtls/wolfssl.c"}},{"id":"CURL-CVE-2025-5025-fb1f53fd","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e1f65937a96a451292e9231339672797da86ecc5","digest":{"function_hash":"21272719110480439985384758464724101584","length":996},"signature_type":"Function","target":{"function":"Curl_vquic_tls_verify_peer","file":"lib/vquic/vquic-tls.c"}}],"source":"https://curl.se/docs/CURL-CVE-2025-5025.json"}}],"schema_version":"1.7.3","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}