{"id":"CVE-2025-5025","details":"libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.","aliases":["CURL-CVE-2025-5025"],"modified":"2026-03-20T12:43:59.678289Z","published":"2025-05-28T07:15:24.910Z","related":["SUSE-SU-2025:03198-1","SUSE-SU-2025:20675-1","openSUSE-SU-2025:15176-1"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/05/28/5"},{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2025-5025.html"},{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2025-5025.json"},{"type":"REPORT","url":"https://hackerone.com/reports/3153497"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"7161cb17c01dcff1dc5bf89a18437d9d729f1ecd"},{"fixed":"4dacb79fcdd9364c1083e06f6a011d797a344f47"}],"database_specific":{"versions":[{"introduced":"8.5.0"},{"fixed":"8.14.0"}]}}],"versions":["curl-8_10_0","curl-8_10_1","curl-8_11_0","curl-8_11_1","curl-8_12_0","curl-8_12_1","curl-8_13_0","curl-8_5_0","curl-8_6_0","curl-8_7_0","curl-8_7_1","curl-8_8_0","curl-8_9_0","curl-8_9_1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-5025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}