CVE-2025-4947
MEDIUMcurl 8.8.0-8.13.0 - Improper Certificate Validation for QUIC Connections via IP Address URL
Title source: llmDescription
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
References (4)
Core 4
Core References
Patch, Vendor Advisory
https://curl.se/docs/CVE-2025-4947.html
Vendor Advisory
https://curl.se/docs/CVE-2025-4947.json
Exploit, Issue Tracking, Patch
https://hackerone.com/reports/3150884
Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/05/28/4
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
14.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
haxx/curl
8.8.0 - 8.14.0
Published
May 28, 2025
Tracked Since
Feb 18, 2026