CVE-2025-10966

MEDIUM

curl - Info Disclosure

Title source: llm

Description

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

References (4)

[Vendor Advisory, Patch] https://curl.se/docs/CVE-2025-10966.html

[Vendor Advisory] https://curl.se/docs/CVE-2025-10966.json

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/3355218

[Mailing List, Third Party Advisory, Patch] http://www.openwall.com/lists/oss-security/2025/11/05/2

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 4.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

Status published

Affected Products (1)

haxx/curl < 8.17.0

Timeline

Published Nov 07, 2025

Tracked Since Feb 18, 2026