CVE-2025-10148
MEDIUMcurl WebSocket Mask Reuse - Proxy Cache Poisoning
Title source: manualDescription
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
References (6)
Core 6
Core References
Vendor Advisory, Patch
https://curl.se/docs/CVE-2025-10148.html
Vendor Advisory
https://curl.se/docs/CVE-2025-10148.json
Issue Tracking, Third Party Advisory
https://hackerone.com/reports/3330839
Mailing List, Third Party Advisory, Patch
http://www.openwall.com/lists/oss-security/2025/09/10/2
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/3
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/4
Scores
CVSS v3
5.3
EPSS
0.0012
EPSS Percentile
30.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
haxx/curl
8.11.0 - 8.16.0
Published
Sep 12, 2025
Tracked Since
Feb 18, 2026