CVE-2025-5025

MEDIUM LAB

curl 8.5.0-8.13.9 - Improper Certificate Validation in QUIC HTTP/3 with wolfSSL

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5025. PoCs published by KiPhuong.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2025-5025, demonstrating an HTTP/3-based attack using Dockerized client and server components. The setup includes a real server, a fake server, and a client configured with wolfSSL, nghttp3, and ngtcp2 to exploit the vulnerability.

Description

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Exploits (1)

nomisec WORKING POC

by KiPhuong · poc

https://github.com/KiPhuong/cve-2025-5025

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2025-5025, demonstrating an HTTP/3-based attack using Dockerized client and server components. The setup includes a real server, a fake server, and a client configured with wolfSSL, nghttp3, and ngtcp2 to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: HTTP/3 implementations (specific version not specified)

No auth needed

Prerequisites: Docker environment · HTTP/3 support in target software

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory

https://curl.se/docs/CVE-2025-5025.html

Vendor Advisory

https://curl.se/docs/CVE-2025-5025.json

Exploit, Issue Tracking, Third Party Advisory

https://hackerone.com/reports/3153497

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/05/28/5

Scores

CVSS v3 4.8

EPSS 0.0024

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull kiphuong/real-server:latest

docker pull kiphuong/fake-server:latest

docker pull kiphuong/client:latest

https://github.com/KiPhuong/cve-2025-5025

View in Library

Details

CWE

CWE-295

Status published

Products (1)

haxx/curl 8.5.0 - 8.14.0

Published May 28, 2025

Tracked Since Feb 18, 2026