CVE-2025-10966

Published: Nov 7, 2025Modified: Jun 2, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

Affected (1)

Products: Haxx: Curl

Haxx

1 product

Curl

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 7.69.0 to 8.17.0

References (5)

https://curl.se/docs/CVE-2025-10966.html

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

PatchVendor Advisory

https://curl.se/docs/CVE-2025-10966.json

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

Vendor Advisory

https://hackerone.com/reports/3355218

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

ExploitIssue TrackingThird Party Advisory

http://www.openwall.com/lists/oss-security/2025/11/05/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-253495.html

Source: 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Timeline

No history available yet.