CVE-2025-11563 — Path Traversal in Curl Wcurl

CWE-22 — Path Traversal9 documents9 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 95.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl Wcurl Curl

Timeline

PublishedFeb 25

Description

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶NVDcurl/wcurl2024-12-08 — 2025-11-09

▶Debianhaxx/curl< 8.14.1-2+deb13u2+1

▶CVEListV5curl/curl8.17.0 — 8.17.0+4

Patches

Patch: curl.se ↗Patch: lists.debian.org ↗

🔴Vulnerability Details

CVEList

wcurl path traversal with percent-encoded slashes↗2026-02-25

▶

GHSA

GHSA-6xq2-fm6w-mxfm: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user exp↗2026-02-25

▶

OSV

CVE-2025-11563: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user exp↗2026-02-25

▶

📋Vendor Advisories

Red Hat

wcurl: wcurl: Arbitrary file placement via crafted URLs↗2026-02-25

▶

Ubuntu

curl vulnerabilities↗2026-02-25

▶

Microsoft

wcurl path traversal with percent-encoded slashes↗2026-02-10

▶

Debian

CVE-2025-11563: curl - URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶