{"id":"USN-8062-2","summary":"curl vulnerabilities","details":"USN-8062-1 fixed vulnerabilities in curl. This update provides the\ncorresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224\nfor Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04\nLTS.\n\nOriginal advisory details:\n\n It was discovered that curl incorrectly handled cookies when redirected\n from secure to insecure connections. An attacker could possibly use this\n issue to cause a denial of service, or obtain sensitive information.\n This issue only affected Ubuntu 25.10. (CVE-2025-9086)\n\n Calvin Ruocco discovered that curl did not properly handle WebSocket\n communications under certain circumstances. A malicious server could\n possibly use this issue to poison proxy caches with malicious content.\n This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.\n (CVE-2025-10148)\n\n Stanislav Fort discovered that wcurl did not properly handle URLs with\n certain encoded characters. If a user were tricked into processing\n a specially crafted URL, an attacker could possibly use this issue to\n write files outside the intended directory. This issue only affected\n Ubuntu 25.10. (CVE-2025-11563)\n\n Stanislav Fort discovered that curl did not properly validate pinned\n public keys under certain circumstances. A remote attacker could\n possibly use this issue to perform a machine-in-the-middle attack. This\n issue only affected Ubuntu 25.10.(CVE-2025-13034)\n\n Stanislav Fort discovered that curl did not properly manage TLS options\n when performing LDAP over TLS transfers in multi-threaded environments.\n Under certain circumstances, certificate verification could be\n unintentionally and unknowingly disabled. (CVE-2025-14017)\n\n It was discovered that curl incorrectly handled Oauth2 bearer tokens\n when following redirects. A remote attacker could possibly use this\n issue to obtain authentication credentials. (CVE-2025-14524)\n\n Stanislav Fort discovered that curl did not properly validate TLS\n certificates when reusing connections. A remote attacker could possibly\n use this issue to bypass expected certificate verification. This issue\n only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-14819)\n\n Harry Sintonen discovered that curl did not properly validate SSH host\n keys when performing SSH-based file transfers. This issue could lead to\n unintended bypass of custom known_hosts file. This issue only\n affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15079)\n\n Harry Sintonen discovered that curl built with libssh did not properly\n handle authentication when performing SSH-based file transfers. This\n could result in unintended authentication operations. This issue only\n affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15224)","modified":"2026-03-07T03:58:47.086750Z","published":"2026-03-03T18:42:11Z","related":["UBUNTU-CVE-2025-14017","UBUNTU-CVE-2025-15079","UBUNTU-CVE-2025-15224"],"upstream":["CVE-2025-14017","CVE-2025-15079","CVE-2025-15224","UBUNTU-CVE-2025-14017","UBUNTU-CVE-2025-15079","UBUNTU-CVE-2025-15224"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8062-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-14017"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-15079"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-15224"}],"affected":[{"package":{"name":"curl","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20+esm19?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.35.0-1ubuntu2.20+esm19"}]}],"versions":["7.32.0-1ubuntu1","7.33.0-1ubuntu1","7.34.0-1ubuntu1","7.35.0-1ubuntu1","7.35.0-1ubuntu2","7.35.0-1ubuntu2.1","7.35.0-1ubuntu2.2","7.35.0-1ubuntu2.3","7.35.0-1ubuntu2.5","7.35.0-1ubuntu2.6","7.35.0-1ubuntu2.7","7.35.0-1ubuntu2.8","7.35.0-1ubuntu2.9","7.35.0-1ubuntu2.10","7.35.0-1ubuntu2.11","7.35.0-1ubuntu2.12","7.35.0-1ubuntu2.13","7.35.0-1ubuntu2.14","7.35.0-1ubuntu2.15","7.35.0-1ubuntu2.16","7.35.0-1ubuntu2.17","7.35.0-1ubuntu2.19","7.35.0-1ubuntu2.20","7.35.0-1ubuntu2.20+esm2","7.35.0-1ubuntu2.20+esm3","7.35.0-1ubuntu2.20+esm4","7.35.0-1ubuntu2.20+esm5","7.35.0-1ubuntu2.20+esm6","7.35.0-1ubuntu2.20+esm7","7.35.0-1ubuntu2.20+esm8","7.35.0-1ubuntu2.20+esm9","7.35.0-1ubuntu2.20+esm10","7.35.0-1ubuntu2.20+esm11","7.35.0-1ubuntu2.20+esm12","7.35.0-1ubuntu2.20+esm13","7.35.0-1ubuntu2.20+esm14","7.35.0-1ubuntu2.20+esm15","7.35.0-1ubuntu2.20+esm16","7.35.0-1ubuntu2.20+esm17","7.35.0-1ubuntu2.20+esm18"],"ecosystem_specific":{"binaries":[{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"curl"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl3"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl3-gnutls"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl3-nss"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl4-gnutls-dev"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl4-nss-dev"},{"binary_version":"7.35.0-1ubuntu2.20+esm19","binary_name":"libcurl4-openssl-dev"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:14.04:LTS","cves":[{"id":"CVE-2025-14017","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8062-2.json"}},{"package":{"name":"curl","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/curl@7.47.0-1ubuntu2.19+esm15?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.47.0-1ubuntu2.19+esm15"}]}],"versions":["7.43.0-1ubuntu2","7.45.0-1ubuntu1","7.46.0-1ubuntu1","7.47.0-1ubuntu1","7.47.0-1ubuntu2","7.47.0-1ubuntu2.1","7.47.0-1ubuntu2.2","7.47.0-1ubuntu2.3","7.47.0-1ubuntu2.4","7.47.0-1ubuntu2.5","7.47.0-1ubuntu2.6","7.47.0-1ubuntu2.7","7.47.0-1ubuntu2.8","7.47.0-1ubuntu2.9","7.47.0-1ubuntu2.11","7.47.0-1ubuntu2.12","7.47.0-1ubuntu2.13","7.47.0-1ubuntu2.14","7.47.0-1ubuntu2.15","7.47.0-1ubuntu2.16","7.47.0-1ubuntu2.18","7.47.0-1ubuntu2.19","7.47.0-1ubuntu2.19+esm1","7.47.0-1ubuntu2.19+esm2","7.47.0-1ubuntu2.19+esm3","7.47.0-1ubuntu2.19+esm4","7.47.0-1ubuntu2.19+esm5","7.47.0-1ubuntu2.19+esm6","7.47.0-1ubuntu2.19+esm7","7.47.0-1ubuntu2.19+esm8","7.47.0-1ubuntu2.19+esm9","7.47.0-1ubuntu2.19+esm10","7.47.0-1ubuntu2.19+esm11","7.47.0-1ubuntu2.19+esm12","7.47.0-1ubuntu2.19+esm13"],"ecosystem_specific":{"binaries":[{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"curl"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl3"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl3-gnutls"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl3-nss"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl4-gnutls-dev"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl4-nss-dev"},{"binary_version":"7.47.0-1ubuntu2.19+esm15","binary_name":"libcurl4-openssl-dev"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"id":"CVE-2025-14017","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8062-2.json"}},{"package":{"name":"curl","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/curl@7.58.0-2ubuntu3.24+esm7?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.58.0-2ubuntu3.24+esm7"}]}],"versions":["7.55.1-1ubuntu2","7.55.1-1ubuntu2.1","7.57.0-1ubuntu1","7.58.0-2ubuntu1","7.58.0-2ubuntu2","7.58.0-2ubuntu3","7.58.0-2ubuntu3.1","7.58.0-2ubuntu3.2","7.58.0-2ubuntu3.3","7.58.0-2ubuntu3.5","7.58.0-2ubuntu3.6","7.58.0-2ubuntu3.7","7.58.0-2ubuntu3.8","7.58.0-2ubuntu3.9","7.58.0-2ubuntu3.10","7.58.0-2ubuntu3.12","7.58.0-2ubuntu3.13","7.58.0-2ubuntu3.14","7.58.0-2ubuntu3.15","7.58.0-2ubuntu3.16","7.58.0-2ubuntu3.17","7.58.0-2ubuntu3.18","7.58.0-2ubuntu3.19","7.58.0-2ubuntu3.20","7.58.0-2ubuntu3.21","7.58.0-2ubuntu3.22","7.58.0-2ubuntu3.23","7.58.0-2ubuntu3.24","7.58.0-2ubuntu3.24+esm1","7.58.0-2ubuntu3.24+esm2","7.58.0-2ubuntu3.24+esm3","7.58.0-2ubuntu3.24+esm4","7.58.0-2ubuntu3.24+esm5"],"ecosystem_specific":{"binaries":[{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"curl"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl3-gnutls"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl3-nss"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl4"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl4-gnutls-dev"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl4-nss-dev"},{"binary_version":"7.58.0-2ubuntu3.24+esm7","binary_name":"libcurl4-openssl-dev"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"id":"CVE-2025-14017","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-15079","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2025-15224","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8062-2.json"}},{"package":{"name":"curl","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.25+esm2?arch=source&distro=esm-infra/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.68.0-1ubuntu2.25+esm2"}]}],"versions":["7.65.3-1ubuntu3","7.65.3-1ubuntu4","7.66.0-1ubuntu1","7.67.0-2ubuntu1","7.68.0-1ubuntu1","7.68.0-1ubuntu2","7.68.0-1ubuntu2.1","7.68.0-1ubuntu2.2","7.68.0-1ubuntu2.4","7.68.0-1ubuntu2.5","7.68.0-1ubuntu2.6","7.68.0-1ubuntu2.7","7.68.0-1ubuntu2.10","7.68.0-1ubuntu2.11","7.68.0-1ubuntu2.12","7.68.0-1ubuntu2.13","7.68.0-1ubuntu2.14","7.68.0-1ubuntu2.15","7.68.0-1ubuntu2.16","7.68.0-1ubuntu2.18","7.68.0-1ubuntu2.19","7.68.0-1ubuntu2.20","7.68.0-1ubuntu2.21","7.68.0-1ubuntu2.22","7.68.0-1ubuntu2.23","7.68.0-1ubuntu2.24","7.68.0-1ubuntu2.25"],"ecosystem_specific":{"binaries":[{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"curl"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl3-gnutls"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl3-nss"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl4"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl4-gnutls-dev"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl4-nss-dev"},{"binary_version":"7.68.0-1ubuntu2.25+esm2","binary_name":"libcurl4-openssl-dev"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"id":"CVE-2025-14017","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-15079","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2025-15224","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8062-2.json"}}],"schema_version":"1.7.3"}