CVE-2025-15224
LOWcurl 7.58.0-8.17.9 - Improper Authentication via SSH Agent
Title source: llmDescription
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
References (4)
Core 4
Core References
Vendor Advisory, Patch
https://curl.se/docs/CVE-2025-15224.html
Vendor Advisory
https://curl.se/docs/CVE-2025-15224.json
Exploit, Third Party Advisory, Issue Tracking
https://hackerone.com/reports/3480925
Mailing List, Third Party Advisory, Patch
http://www.openwall.com/lists/oss-security/2026/01/07/7
Scores
CVSS v3
3.1
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (1)
haxx/curl
7.58.0 - 8.18.0
Published
Jan 08, 2026
Tracked Since
Feb 18, 2026