Skip to main content

Curl CVE-2025-5399

| EUVD-2025-17371 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2025-06-07 2499f714-1537-4658-8207-48ae4bb9eae9
Information Disclosure Curl Red Hat Suse
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW
qualitative
SUSE
HIGH
qualitative
Red Hat
4.3 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 19:13 euvd
EUVD-2025-17371
Analysis Generated
Mar 14, 2026 - 19:13 vuln.today
PoC Detected
Jul 30, 2025 - 19:41 vuln.today
Public exploit code
CVE Published
Jun 07, 2025 - 08:15 nvd
HIGH 7.5

DescriptionCVE.org

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.

There is no other way for the application to escape or exit this loop other than killing the thread/process.

This might be used to DoS libcurl-using application.

AnalysisAI

Denial of Service vulnerability in libcurl's WebSocket implementation that allows a malicious server to send a specially crafted packet triggering an endless busy-loop, forcing applications to kill the affected thread or process to recover. This affects all libcurl versions with WebSocket support, with CVSS 7.5 (High) severity due to network-accessible attack vector requiring no authentication. The vulnerability has high real-world impact for any application using libcurl for WebSocket connections, though exploitation requires active malicious server control.

Technical ContextAI

The vulnerability exists in libcurl's WebSocket protocol handler (typically in websocket.c or related WebSocket frame processing code). WebSocket is a stateful protocol (RFC 6455) that maintains persistent bidirectional communication channels over HTTP(S). The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition), indicating a logic flaw where the WebSocket frame parsing loop fails to properly validate packet boundaries or frame structure, creating a condition where the parser cannot exit the processing loop regardless of state. This is distinct from infinite loops with proper exit conditions—the crafted packet creates a scenario where all exit paths are unreachable. The vulnerability affects libcurl versions compiled with WebSocket support (CPE: cpe:2.3:a:libcurl:libcurl:*), particularly recent versions that added or modified WebSocket functionality around 2024-2025.

RemediationAI

Immediate actions: (1) Upgrade libcurl to patched version once released (typically announced at curl.se security advisories—patch version number pending, monitor releases post-CVE disclosure); (2) For critical systems, implement network segmentation to restrict WebSocket connections to trusted servers only; (3) Disable WebSocket support in libcurl at compile time if not required (./configure --without-websockets or similar); (4) Implement connection timeouts in calling application code to force disconnection if no data received within expected timeframe (workaround, not fix). Long-term: (1) Subscribe to curl security mailing list for patch notifications; (2) Implement automated patching for libcurl dependencies across all systems; (3) Monitor for indicators of exploitation (thread/process crashes correlated with WebSocket connections); (4) Use TLS for WebSocket connections (wss://) to reduce MITM attack surface, though this does not prevent compromised server attacks.

Vendor StatusVendor

Ubuntu

Priority: Low
curl
Release Status Version
upstream released 8.14.1-1
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
trusty not-affected code not present
xenial not-affected code not present

Debian

curl
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 7.74.0-1.3+deb11u16 -
bookworm not-affected - -
bookworm (security) fixed 7.88.1-10+deb12u5 -
trixie fixed 8.14.1-2+deb13u2 -
forky fixed 8.18.0-2 -
sid fixed 8.19.0-1 -
(unstable) fixed 8.14.1-1 -

SUSE

Severity: High
Product Status
Container containers/lmcache-lmstack-router:0.1.6-1.2 Container containers/lmcache-vllm-openai:0.3.2-1.2 Container containers/milvus:2.4.6-7.197 Container containers/pytorch:2.8.0-nvidia-3.6 Container containers/vllm-openai:0.9.1-1.2 Container private-registry/harbor-db:2.13.2_git56172457-4.12 Container private-registry/harbor-trivy-adapter:0.33.2-2.37 Container suse/manager/5.0/x86_64/server-hub-xmlrpc-api:5.0.5.1.6.26.1 Container suse/manager/5.0/x86_64/server-migration-14-16:5.0.6.7.29.1 Container trento/trento-wanda:2.0.0-build1.32.1 Container trento/trento-web:3.0.0-build4.55.1 Image SLES15-SP6-CHOST-BYOS-Aliyun Image SLES15-SP6-CHOST-BYOS-GDC Image SLES15-SP6-CHOST-BYOS-SAP-CCloud Image ai_15_6 Affected
Container containers/open-webui-mcpo:0.0.17-1.1 Container containers/open-webui-pipelines:0.20250819.030501-7.2 Container containers/open-webui:0.6.18-12.6 Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1.7.26.2 Container suse/manager/5.0/x86_64/proxy-salt-broker:5.0.5.1.7.28.2 Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Image SLES15-SP6 Image SLES15-SP6-Azure-3P Image SLES15-SP6-Azure-Basic Image SLES15-SP6-Azure-Standard Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-CHOST-BYOS Image SLES15-SP6-CHOST-BYOS-Azure Image SLES15-SP6-CHOST-BYOS-EC2 Image SLES15-SP6-CHOST-BYOS-GCE Image SLES15-SP6-EC2 Image SLES15-SP6-EC2-ECS-HVM Image SLES15-SP6-GCE Image SLES15-SP6-HPC Image SLES15-SP6-HPC-Azure Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP-Azure-3P Image SLES15-SP6-SAP-Azure-LI-BYOS Image SLES15-SP6-SAP-Azure-LI-BYOS-Production Image SLES15-SP6-SAP-Azure-VLI-BYOS Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production Image SLES15-SP6-SAP-BYOS Image SLES15-SP6-SAP-BYOS-Azure Image SLES15-SP6-SAP-BYOS-EC2 Image SLES15-SP6-SAP-BYOS-GCE Image SLES15-SP6-SAP-Hardened Image SLES15-SP6-SAP-Hardened-Azure Image SLES15-SP6-SAP-Hardened-BYOS Image SLES15-SP6-SAP-Hardened-BYOS-Azure Image SLES15-SP6-SAP-Hardened-BYOS-EC2 Image SLES15-SP6-SAP-Hardened-BYOS-GCE Image SLES15-SP6-SAP-Hardened-EC2 Image SLES15-SP6-SAP-Hardened-GCE Affected
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.6 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.33 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.18 Affected

Share

CVE-2025-5399 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy