CVE-2025-5399

Published: Jun 7, 2025Modified: Jul 30, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

Affected (1)

Products: Haxx: Curl

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haxx Curl	From 8.13.0 to 8.14.1

Related CWEs

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References (4)

https://curl.se/docs/CVE-2025-5399.html

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

Vendor Advisory

https://curl.se/docs/CVE-2025-5399.json

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

Vendor Advisory

https://hackerone.com/reports/3168039

Source: 2499f714-1537-4658-8207-48ae4bb9eae9

ExploitIssue TrackingThird Party Advisory

http://www.openwall.com/lists/oss-security/2025/06/04/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.