CVE-2025-15079
MEDIUMcurl 7.58.0-8.17.9 - Improper Certificate Validation with Host Mismatch in SSH Transfers
Title source: llmDescription
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
References (4)
Core 4
Core References
Vendor Advisory, Patch
https://curl.se/docs/CVE-2025-15079.html
Vendor Advisory
https://curl.se/docs/CVE-2025-15079.json
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/3477116
Mailing List, Third Party Advisory, Patch
http://www.openwall.com/lists/oss-security/2026/01/07/6
Scores
CVSS v3
5.3
EPSS
0.0005
EPSS Percentile
14.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-297
Status
published
Products (1)
haxx/curl
7.58.0 - 8.18.0
Published
Jan 08, 2026
Tracked Since
Feb 18, 2026