CVE-2025-10148
Severity
5.3MEDIUM
EPSS
0.1%
top 69.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedSep 12
Latest updateFeb 25
Description
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content c…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Patches
🔴Vulnerability Details
5OSV▶
CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says↗2025-09-12
OSV▶
CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says↗2025-09-12
GHSA▶
GHSA-cxvq-c3r3-8gwq: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says↗2025-09-12