CVE-2025-0665

CRITICAL

libcurl - Use After Free

Title source: llm

Description

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

References (6)

[Vendor Advisory] https://curl.se/docs/CVE-2025-0665.html

[Vendor Advisory] https://curl.se/docs/CVE-2025-0665.json

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/2954286

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/02/05/2

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/02/05/5

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250306-0007/

Scores

CVSS v3 9.8

EPSS 0.1193

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-1341

Status published

Affected Products (7)

haxx/curl

netapp/bootstrap_os

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

Timeline

Published Feb 05, 2025

Tracked Since Feb 18, 2026