CVE-2025-10966

Medium CVSS: 4.3

curl's code for managing SSH connections when SFTP was done using the wolfSSH
powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more.

Vendor

Haxx

Product

Curl

CWE

NVD-CWE-noinfo

Yayın Tarihi

2025-11-07 08:15:39

Güncelleme

2026-01-20 14:57:03

Source Identifier

2499f714-1537-4658-8207-48ae4bb9eae9

KEV Date Added

Kategoriler

NVD-CWE-noinfo Curl MEDIUM Haxx 2025

Referanslar

https://curl.se/docs/CVE-2025-10966.html https://curl.se/docs/CVE-2025-10966.json https://hackerone.com/reports/3355218 http://www.openwall.com/lists/oss-security/2025/11/05/2

Benzer Kayıtlar

Medium

CVE-2026-3783

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl…

Medium

CVE-2026-3784

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses diffe…

High

CVE-2026-3805

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already free…

Medium

CVE-2026-1965

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS r…

Medium

CVE-2025-15079

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenl…

Low

CVE-2025-15224

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly s…