CVE-2025-5399

| EUVD-2025-17371 HIGH
2025-06-07 2499f714-1537-4658-8207-48ae4bb9eae9
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 19:13 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:13 euvd
EUVD-2025-17371
PoC Detected
Jul 30, 2025 - 19:41 vuln.today
Public exploit code
CVE Published
Jun 07, 2025 - 08:15 nvd
HIGH 7.5

Tags

Information Disclosure Curl Redhat Suse

Description

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

Analysis

Denial of Service vulnerability in libcurl's WebSocket implementation that allows a malicious server to send a specially crafted packet triggering an endless busy-loop, forcing applications to kill the affected thread or process to recover. This affects all libcurl versions with WebSocket support, with CVSS 7.5 (High) severity due to network-accessible attack vector requiring no authentication. The vulnerability has high real-world impact for any application using libcurl for WebSocket connections, though exploitation requires active malicious server control.

Technical Context

The vulnerability exists in libcurl's WebSocket protocol handler (typically in websocket.c or related WebSocket frame processing code). WebSocket is a stateful protocol (RFC 6455) that maintains persistent bidirectional communication channels over HTTP(S). The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition), indicating a logic flaw where the WebSocket frame parsing loop fails to properly validate packet boundaries or frame structure, creating a condition where the parser cannot exit the processing loop regardless of state. This is distinct from infinite loops with proper exit conditions—the crafted packet creates a scenario where all exit paths are unreachable. The vulnerability affects libcurl versions compiled with WebSocket support (CPE: cpe:2.3:a:libcurl:libcurl:*), particularly recent versions that added or modified WebSocket functionality around 2024-2025.

Affected Products

libcurl: All versions with WebSocket support enabled (likely 7.87.0 and later, which introduced experimental WebSocket support, through current versions). Specific affected CPEs: cpe:2.3:a:libcurl:libcurl:*:*:*:*:*:*:*:* (all versions with WEBSOCKET feature enabled). Products commonly affected include: curl command-line tool, applications using libcurl library (linked statically or dynamically), programming language bindings (curl-python, node-curl, PHP curl, etc.) that wrap libcurl. Verification requires checking if libcurl was compiled with WebSocket support (curl --version | grep WebSocket on command line, or feature detection in application code). Vendor advisories typically available at: https://curl.se/advisories/ or https://curl.se/security.html

Remediation

Immediate actions: (1) Upgrade libcurl to patched version once released (typically announced at curl.se security advisories—patch version number pending, monitor releases post-CVE disclosure); (2) For critical systems, implement network segmentation to restrict WebSocket connections to trusted servers only; (3) Disable WebSocket support in libcurl at compile time if not required (./configure --without-websockets or similar); (4) Implement connection timeouts in calling application code to force disconnection if no data received within expected timeframe (workaround, not fix). Long-term: (1) Subscribe to curl security mailing list for patch notifications; (2) Implement automated patching for libcurl dependencies across all systems; (3) Monitor for indicators of exploitation (thread/process crashes correlated with WebSocket connections); (4) Use TLS for WebSocket connections (wss://) to reduce MITM attack surface, though this does not prevent compromised server attacks.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: +20

Vendor Status

Ubuntu

Priority: Low
curl
Release Status Version
upstream released 8.14.1-1
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
trusty not-affected code not present
xenial not-affected code not present

Debian

curl
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 7.74.0-1.3+deb11u16 -
bookworm not-affected - -
bookworm (security) fixed 7.88.1-10+deb12u5 -
trixie fixed 8.14.1-2+deb13u2 -
forky fixed 8.18.0-2 -
sid fixed 8.19.0-1 -
(unstable) fixed 8.14.1-1 -

Share

CVE-2025-5399 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy