CVE-2025-10148
published 2025-09-12CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.29%
52.9th percentile
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 8.11.0 – 8.11.0 | — |
| curl | curl | 8.11.1 – 8.11.1 | — |
| curl | curl | 8.12.0 – 8.12.0 | — |
| curl | curl | 8.12.1 – 8.12.1 | — |
| curl | curl | 8.13.0 – 8.13.0 | — |
| curl | curl | 8.14.0 – 8.14.0 | — |
| curl | curl | 8.14.1 – 8.14.1 | — |
| curl | curl | 8.15.0 – 8.15.0 | — |
| debian | curl | < curl 8.16.0-1 (forky) | curl 8.16.0-1 (forky) |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.16.0-r0 | 8.16.0-r0 |
| haxx | curl | >= 0 < 8.14.1-2+deb13u1 | 8.14.1-2+deb13u1 |
| haxx | curl | >= 0 < 8.16.0-1 | 8.16.0-1 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.22 | 7.81.0-1ubuntu1.22 |
| haxx | curl | >= 0 < 8.5.0-2ubuntu10.7 | 8.5.0-2ubuntu10.7 |
| haxx | curl | >= 0 < 8.14.1-2ubuntu1.1 | 8.14.1-2ubuntu1.1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.20+esm19 | 7.35.0-1ubuntu2.20+esm19 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.19+esm15 | 7.47.0-1ubuntu2.19+esm15 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.24+esm7 | 7.58.0-2ubuntu3.24+esm7 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.25+esm2 | 7.68.0-1ubuntu2.25+esm2 |
| haxx | curl | >= 8.11.0 < 8.16.0 | 8.16.0 |
| msrc | azl3_cmake_3.30.3-10_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_msrc6.5MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
OSV
CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says
osv·2025-09-12·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
OSV
CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says
osv·2025-09-12·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
GHSA
GHSA-cxvq-c3r3-8gwq: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says
ghsa_unreviewed·2025-09-12
CVE-2025-10148 [MEDIUM] GHSA-cxvq-c3r3-8gwq: curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
CISA ICS
Siemens COMOS
cisa_ics·2026-02-12·CVSS 3.4
[LOW] Siemens COMOS
ICS Advisory
##
Siemens COMOS
Release DateFebruary 12, 2026
Alert CodeICSA-26-043-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
The following versions of Siemens COMOS are affected:
- COMOS V10.4 vers:intdot/<10.4.5, vers:intdot/<10.4.5 (CVE-2024-47875, CVE-2025-278
Red Hat
curl: predictable WebSocket mask
vendor_redhat·2025-09-12·CVSS 5.3
CVE-2025-10148 [MEDIUM] CWE-340 curl: predictable WebSocket mask
curl: predictable WebSocket mask
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
A flaw was found in curl. The use of a predictable WebSocket mask pattern allows a malicious server to induce traffic that an intermediary proxy (whether configured or transparent) will misinterpret as a standard HTTP
Microsoft
predictable WebSocket mask
vendor_msrc·2025-09-09·CVSS 6.5
CVE-2025-10148 [MEDIUM] predictable WebSocket mask
predictable WebSocket mask
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
curl: curl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azur
Debian
CVE-2025-10148: curl - curl's websocket code did not update the 32 bit mask pattern for each new outgo...
vendor_debian·2025·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148: curl - curl's websocket code did not update the 32 bit mask pattern for each new outgo...
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
Scope: local
bookworm: open
bullseye: resolved
forky: resolved (fixed in 8.16.0-1)
sid: resolved (fixed in 8.16.0-1)
trixie: resolved (fixed in 8.14.1-2+deb13u1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-10148 curl: predictable WebSocket mask
bugzilla·2025-09-12·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148 curl: predictable WebSocket mask
CVE-2025-10148 curl: predictable WebSocket mask
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
Bugzilla
CVE-2025-10148 mingw-curl: predictable WebSocket mask [fedora-42]
bugzilla·2025-09-12·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148 mingw-curl: predictable WebSocket mask [fedora-42]
CVE-2025-10148 mingw-curl: predictable WebSocket mask [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases
HackerOne
CVE-2025-10148: predictable WebSocket mask
hackerone·2025-09-10·CVSS 5.3
CVE-2025-10148 [MEDIUM] CVE-2025-10148: predictable WebSocket mask
CVE-2025-10148: predictable WebSocket mask
No AI was involved.
## Summary:
The curl WebSocket implementation generates a fixed masking key at the beginning of a connection an re-uses it for every frame:
* Generation of masking key `enc.mask` in `Curl_ws_accept`: https://github.com/curl/curl/blob/455afa1de5182b95a5dcc988f18cdff584b95239/lib/ws.c#L1340
* Usage in `ws_enc_write_head`: https://github.com/curl/curl/blob/455afa1de5182b95a5dcc988f18cdff584b95239/lib/ws.c#L879
* Usage in `ws_enc_write_payload`: https://github.com/curl/curl/blob/455afa1de5182b95a5dcc988f18cdff584b95239/lib/ws.c#L930
[RFC-6455 §5.3](https://datatracker.ietf.org/doc/html/rfc6455#section-5.3) states:
> [...] The masking key is a 32-bit value chosen at random by the client. When preparing a masked frame, the client
2025-09-12
Published