CVE-2025-4947

Published: May 28, 2025Modified: Jun 26, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Affected (1)

Products: Haxx: Curl

Haxx

1 product

Curl

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 8.8.0 to 8.14.0

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://curl.se/docs/CVE-2025-4947.html

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

PatchVendor Advisory

https://curl.se/docs/CVE-2025-4947.json

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

Vendor Advisory

https://hackerone.com/reports/3150884

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

ExploitIssue TrackingPatch

http://www.openwall.com/lists/oss-security/2025/05/28/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

Timeline

No history available yet.