CVE-2025-13034
published 2026-01-08CVE-2025-13034: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to…
PriorityP431medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.01%
0.6th percentile
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certificate
to verify the peer.
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 8.10.0 – 8.10.0 | — |
| curl | curl | 8.10.1 – 8.10.1 | — |
| curl | curl | 8.11.0 – 8.11.0 | — |
| curl | curl | 8.11.1 – 8.11.1 | — |
| curl | curl | 8.12.0 – 8.12.0 | — |
| curl | curl | 8.12.1 – 8.12.1 | — |
| curl | curl | 8.13.0 – 8.13.0 | — |
| curl | curl | 8.14.0 – 8.14.0 | — |
| curl | curl | 8.14.1 – 8.14.1 | — |
| curl | curl | 8.15.0 – 8.15.0 | — |
| curl | curl | 8.16.0 – 8.16.0 | — |
| curl | curl | 8.17.0 – 8.17.0 | — |
| curl | curl | 8.8.0 – 8.8.0 | — |
| curl | curl | 8.9.0 – 8.9.0 | — |
| curl | curl | 8.9.1 – 8.9.1 | — |
| debian | curl | < curl 8.18.0~rc2-1 (forky) | curl 8.18.0~rc2-1 (forky) |
| haxx | curl | >= 0 < 8.18.0~rc2-1 | 8.18.0~rc2-1 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.22 | 7.81.0-1ubuntu1.22 |
| haxx | curl | >= 0 < 8.5.0-2ubuntu10.7 | 8.5.0-2ubuntu10.7 |
| haxx | curl | >= 0 < 8.14.1-2ubuntu1.1 | 8.14.1-2ubuntu1.1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.20+esm19 | 7.35.0-1ubuntu2.20+esm19 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.19+esm15 | 7.47.0-1ubuntu2.19+esm15 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.24+esm7 | 7.58.0-2ubuntu3.24+esm7 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.25+esm2 | 7.68.0-1ubuntu2.25+esm2 |
| haxx | curl | >= 8.8.0 < 8.18.0 | 8.18.0 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
osv5.9MEDIUM
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cURL up to 8.17.0 QUIC Certificate certificate validation (3d91ca8cdb3b434226e743946 / Nessus ID 282310)
vuldb·2026-05-03·CVSS 5.9
CVE-2025-13034 [MEDIUM] cURL up to 8.17.0 QUIC Certificate certificate validation (3d91ca8cdb3b434226e743946 / Nessus ID 282310)
A vulnerability classified as critical was found in cURL up to 8.17.0. Affected by this vulnerability is an unknown functionality of the component QUIC Certificate Handler. Such manipulation leads to improper certificate validation.
This vulnerability is listed as CVE-2025-13034. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
GHSA
GHSA-9r76-qj98-jfhc: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certifi
ghsa_unreviewed·2026-01-08
CVE-2025-13034 [MEDIUM] CWE-295 GHSA-9r76-qj98-jfhc: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certifi
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certificate
to verify the peer.
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
OSV
CVE-2025-13034: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certifi
osv·2026-01-08·CVSS 5.9
CVE-2025-13034 [MEDIUM] CVE-2025-13034: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certifi
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
vendor_redhat·2026-01-07·CVSS 5.9
CVE-2025-13034 [MEDIUM] CWE-295 curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certificate
to verify the peer.
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
A flaw was found in curl. When configured to use public key pinning with QUIC connections and GnuTLS, and with standard certificate verification explicitly disabled, curl could bypass the intended public
Debian
CVE-2025-13034: curl - When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` wit...
vendor_debian·2025·CVSS 5.9
CVE-2025-13034 [MEDIUM] CVE-2025-13034: curl - When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` wit...
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 8.18.0~rc2-1)
sid: resolved (fixed in 8.18.0~rc2-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13034 :
cURL vulnerability analysis and mitigation
CURLOPT_PINNEDPUBLICKEY
--pinnedpubkey
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
Source : NVD
## 5.9
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
curl
curl
Bugzilla
CVE-2025-13034 curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
bugzilla·2025-12-31·CVSS 5.9
CVE-2025-13034 [MEDIUM] CVE-2025-13034 curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
CVE-2025-13034 curl: Public key pinning bypass via QUIC and GnuTLS allows server impersonation
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool, curl checks the public key of the server certificate to
verify the peer.
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
2026-01-08
Published