CVE-2025-14017
published 2026-01-08CVE-2025-14017: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and…
PriorityP427medium6.3CVSS 3.1
AVLACHPRNUIRSUCHIHAN
EPSS
0.00%
0.1th percentile
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
Affected
153 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.17.0 – 7.17.0 | — |
| curl | curl | 7.17.1 – 7.17.1 | — |
| curl | curl | 7.18.0 – 7.18.0 | — |
| curl | curl | 7.18.1 – 7.18.1 | — |
| curl | curl | 7.18.2 – 7.18.2 | — |
| curl | curl | 7.19.0 – 7.19.0 | — |
| curl | curl | 7.19.1 – 7.19.1 | — |
| curl | curl | 7.19.2 – 7.19.2 | — |
| curl | curl | 7.19.3 – 7.19.3 | — |
| curl | curl | 7.19.4 – 7.19.4 | — |
| curl | curl | 7.19.5 – 7.19.5 | — |
| curl | curl | 7.19.6 – 7.19.6 | — |
| curl | curl | 7.19.7 – 7.19.7 | — |
| curl | curl | 7.20.0 – 7.20.0 | — |
| curl | curl | 7.20.1 – 7.20.1 | — |
| curl | curl | 7.21.0 – 7.21.0 | — |
| curl | curl | 7.21.1 – 7.21.1 | — |
| curl | curl | 7.21.2 – 7.21.2 | — |
| curl | curl | 7.21.3 – 7.21.3 | — |
| curl | curl | 7.21.4 – 7.21.4 | — |
| curl | curl | 7.21.5 – 7.21.5 | — |
| curl | curl | 7.21.6 – 7.21.6 | — |
| curl | curl | 7.21.7 – 7.21.7 | — |
| curl | curl | 7.22.0 – 7.22.0 | — |
| curl | curl | 7.23.0 – 7.23.0 | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
osv6.3MEDIUM
vendor_debian6.3LOW
vendor_redhat6.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
vendor_redhat·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CWE-1058 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
A flaw was found in curl. When performing multi-threaded LDAPS (Lightweight Directory Access Protocol Secure) transfers, changes to Transport Layer Security (TLS) options in one thread could inadvertently apply globally, affecting other concurrent transfers. This could lead to unintended security posture changes, such as disabling certificate verificatio
Debian
CVE-2025-14017: curl - When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing...
vendor_debian·2025·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017: curl - When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing...
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.18.0~rc2-1)
sid: resolved (fixed in 8.18.0~rc2-1)
trixie: open
VulDB
cURL up to 8.17.0 Threaded LDAPS certificate validation (39d1976b7f709a516e324333 / Nessus ID 282309)
vuldb·2026-05-03·CVSS 6.3
CVE-2025-14017 [MEDIUM] cURL up to 8.17.0 Threaded LDAPS certificate validation (39d1976b7f709a516e324333 / Nessus ID 282309)
A vulnerability, which was classified as critical, has been found in cURL up to 8.17.0. Affected by this issue is some unknown functionality of the component Threaded LDAPS. Performing a manipulation results in improper certificate validation.
This vulnerability is cataloged as CVE-2025-14017. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
GHSA
GHSA-jh4h-2cg6-889h: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
an
ghsa_unreviewed·2026-01-08
CVE-2025-14017 [MEDIUM] GHSA-jh4h-2cg6-889h: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
an
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
OSV
CVE-2025-14017: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally an
osv·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally an
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-14017 rpi-imager: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
bugzilla·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 rpi-imager: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
CVE-2025-14017 rpi-imager: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
Bugzilla
CVE-2025-14017 trustee-guest-components: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
bugzilla·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 trustee-guest-components: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
CVE-2025-14017 trustee-guest-components: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42
Bugzilla
CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
bugzilla·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
Bugzilla
CVE-2025-14017 mingw-curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
bugzilla·2026-01-08·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 mingw-curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
CVE-2025-14017 mingw-curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
Wiz
CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14017 :
cURL vulnerability analysis and mitigation
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
Source : NVD
## 6.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
snphost
cpe:2.3:a:haxx:curl
Sources
Alp
2026-01-08
Published