CVE-2025-0725
published 2025-02-05CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3…
PriorityP340high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.60%
70.0th percentile
When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.
Affected
185 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.10.5 – 7.10.5 | — |
| curl | curl | 7.10.6 – 7.10.6 | — |
| curl | curl | 7.10.7 – 7.10.7 | — |
| curl | curl | 7.10.8 – 7.10.8 | — |
| curl | curl | 7.11.0 – 7.11.0 | — |
| curl | curl | 7.11.1 – 7.11.1 | — |
| curl | curl | 7.11.2 – 7.11.2 | — |
| curl | curl | 7.12.0 – 7.12.0 | — |
| curl | curl | 7.12.1 – 7.12.1 | — |
| curl | curl | 7.12.2 – 7.12.2 | — |
| curl | curl | 7.12.3 – 7.12.3 | — |
| curl | curl | 7.13.0 – 7.13.0 | — |
| curl | curl | 7.13.1 – 7.13.1 | — |
| curl | curl | 7.13.2 – 7.13.2 | — |
| curl | curl | 7.14.0 – 7.14.0 | — |
| curl | curl | 7.14.1 – 7.14.1 | — |
| curl | curl | 7.15.0 – 7.15.0 | — |
| curl | curl | 7.15.1 – 7.15.1 | — |
| curl | curl | 7.15.2 – 7.15.2 | — |
| curl | curl | 7.15.3 – 7.15.3 | — |
| curl | curl | 7.15.4 – 7.15.4 | — |
| curl | curl | 7.15.5 – 7.15.5 | — |
| curl | curl | 7.16.0 – 7.16.0 | — |
| curl | curl | 7.16.1 – 7.16.1 | — |
| curl | curl | 7.16.2 – 7.16.2 | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
osv7.3HIGH
vendor_debian7.3LOW
vendor_msrc7.3HIGH
vendor_oracle7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zli
osv·2025-02-05·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zli
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
GHSA
GHSA-vvqh-cqpj-5537: When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zli
ghsa_unreviewed·2025-02-05
CVE-2025-0725 [HIGH] CWE-120 GHSA-vvqh-cqpj-5537: When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zli
When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.
OSV
CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zli
osv·2025-02-05·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zli
When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.
Oracle
Oracle Oracle Commerce Risk Matrix: Forge (curl) — CVE-2025-0725
vendor_oracle·2025-07-15·CVSS 7.3
CVE-2025-0725 [HIGH] Oracle Oracle Commerce Risk Matrix: Forge (curl) — CVE-2025-0725
Oracle Oracle Commerce Risk Matrix: Forge (curl) vulnerability
CVE: CVE-2025-0725
CVSS: 7.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Microsoft
gzip integer overflow
vendor_msrc·2025-02-11·CVSS 7.3
CVE-2025-0725 [HIGH] CWE-120 gzip integer overflow
gzip integer overflow
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
curl: curl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-lin
Red Hat
libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
vendor_redhat·2025-02-05·CVSS 7.3
CVE-2025-0725 [HIGH] CWE-680 libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.
A flaw was found in libcurl. This vulnerability allows an attacker to trigger a buffer overflow via an integer overflow in zlib 1.2.0.3 or older when libcurl performs automatic gzip decompression.
Statement: This CVE is not applicable to any supported version of Red Hat Enterprise Linux since RHEL-4.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and
Debian
CVE-2025-0725: curl - When libcurl is asked to perform automatic gzip decompression of content-encoded...
vendor_debian·2025·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725: curl - When libcurl is asked to perform automatic gzip decompression of content-encoded...
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1)
sid: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1)
trixie: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions
hackerone·2025-04-27·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions
CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions
Hello,
I would like to report a vulnerability here that I previously reported to the curl project.
In curl's support for old libz version lies an integer overflow that can be triggered by a malicious http server by serving
abnormally large gzip headers that then leads to a heap overflow with attacker-controlled data when `Content-Encoding: gzip`
is used.
Original report: https://hackerone.com/reports/2956023
CVE: CVE-2025-0725
Severity: Low
Official Advisory: https://curl.se/docs/CVE-2025-0725.html
## Impact
\-
Bugzilla
CVE-2025-0725 libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
bugzilla·2025-02-05·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725 libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
CVE-2025-0725 libcurl: Buffer Overflow in libcurl via zlib Integer Overflow
When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.
HackerOne
CVE-2025-0725: gzip integer overflow
hackerone·2025-02-05·CVSS 7.3
CVE-2025-0725 [HIGH] CVE-2025-0725: gzip integer overflow
CVE-2025-0725: gzip integer overflow
Hello, no AI slop this time. I promise!
The current master branch of [libcurl](https://github.com/curl/curl/tree/7e814c8717939393d4436d75f5f0c3ffa98c8c53) contains a vulnerability in [lib/content_encoding.c](https://github.com/curl/curl/blob/7e814c8717939393d4436d75f5f0c3ffa98c8c53/lib/content_encoding.c#L539) that allows a malicious HTTP-server to craft an arbitrary heap chunk in the memory of the victim and issue a `free()` of that forged chunk, when `Content-Encoding: gzip` is in use.
The vulnerability is in function `gzip_do_write()` in lines 533 - 544:
```c
z->avail_in += (uInt) nbytes;
z->next_in = Curl_saferealloc(z->next_in, z->avail_in);
if(!z->next_in) {
return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
}
/* Append the new blo
https://curl.se/docs/CVE-2025-0725.htmlhttps://curl.se/docs/CVE-2025-0725.jsonhttps://hackerone.com/reports/2956023http://www.openwall.com/lists/oss-security/2025/02/05/3http://www.openwall.com/lists/oss-security/2025/02/06/2http://www.openwall.com/lists/oss-security/2025/02/06/4https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7https://security.netapp.com/advisory/ntap-20250306-0009/
2025-02-05
Published