CVE-2025-14017

CWE-105810 documents8 sources
Severity
6.3MEDIUM
EPSS
0.0%
top 99.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Haxx CurlCurl Curl
Timeline
PublishedJan 8
Latest updateMar 3

Description

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.0 | Impact: 5.2

Affected Packages4 packages

NVDhaxx/curl7.17.08.18.0
Debiancurl< 8.18.0~rc2-1
Ubuntucurl< 7.35.0-1ubuntu2.20+esm19+3
CVEListV5curl/curl8.17.08.17.0+142

🔴Vulnerability Details

4
OSV
curl vulnerabilities2026-03-03
CVEList
broken TLS options for threaded LDAPS2026-01-08
GHSA
GHSA-jh4h-2cg6-889h: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally an2026-01-08
OSV
CVE-2025-14017: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally an2026-01-08

📋Vendor Advisories

4
Ubuntu
curl vulnerabilities2026-03-03
Ubuntu
curl vulnerabilities2026-02-25
Red Hat
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers2026-01-08
Debian
CVE-2025-14017: curl - When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14017 (MEDIUM CVSS 6.3) | When doing multi-threaded LDAPS tra | cvebase.io