CVE-2025-0665
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
4Tags
Description
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
Analysis
A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, causing the same eventfd file descriptor to be closed twice. This affects curl version 8.11.1 and various NetApp products that bundle libcurl, potentially leading to file descriptor confusion, limited information disclosure, and high availability impact. A public proof-of-concept exploit is available (HackerOne report 2954286), and the vulnerability has a notably high EPSS score of 6.37% (91st percentile), indicating elevated real-world exploitation likelihood.
Technical Context
This vulnerability affects libcurl, the widely-used library for transferring data with URLs, specifically when using threaded name resolution combined with eventfd file descriptors on Linux systems. The affected products include curl 8.11.1 directly (cpe:2.3:a:haxx:curl:8.11.1) and multiple NetApp storage firmware products (H300S, H410C, H410S, H500S, H700S) and Bootstrap OS that embed vulnerable libcurl versions. The double-close bug occurs during connection teardown after asynchronous DNS resolution completes, where the eventfd used for inter-thread communication is closed twice. This is a classic resource management error that can lead to file descriptor reuse vulnerabilities, where a newly opened file descriptor might inadvertently receive the same number as the double-closed descriptor, causing operations intended for one resource to affect another. While no specific CWE is assigned, this falls under improper resource shutdown or release patterns (similar to CWE-404 or CWE-675).
Affected Products
The primary affected product is curl/libcurl version 8.11.1 as confirmed by CPE cpe:2.3:a:haxx:curl:8.11.1. Additionally, multiple NetApp products are affected including Bootstrap OS, H300S firmware, H410C firmware, H410S firmware, H500S firmware, and H700S firmware (all versions listed with unspecified version ranges in their respective CPEs). NetApp has published a security advisory at https://security.netapp.com/advisory/ntap-20250306-0007/ addressing the impact to their products. The official curl project advisories are available at https://curl.se/docs/CVE-2025-0665.html and https://curl.se/docs/CVE-2025-0665.json. Any application or system integrating libcurl with threaded name resolution enabled is potentially vulnerable, making this a widespread supply chain concern given curl's ubiquitous deployment in software ecosystems.
Remediation
Upgrade curl/libcurl to a patched version newer than 8.11.1 as detailed in the official curl security advisory at https://curl.se/docs/CVE-2025-0665.html. For NetApp product users, follow the specific remediation guidance provided in NetApp Security Advisory NTAP-20250306-0007 at https://security.netapp.com/advisory/ntap-20250306-0007/. Until patching is completed, consider disabling threaded name resolution in libcurl by using the synchronous resolver (c-ares or system resolver without threading) if operationally feasible, though this may impact performance for applications making many concurrent DNS lookups. Review system file descriptor limits and monitoring to detect potential double-close conditions manifesting as unexpected file descriptor exhaustion or application crashes. Prioritize patching for internet-facing systems and those processing untrusted data given the network attack vector and availability impact.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today