CVE-2025-14819
published 2026-01-08CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA…
PriorityP425medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EPSS
0.03%
8.9th percentile
When doing TLS related transfers with reused easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.87.0 – 7.87.0 | — |
| curl | curl | 7.88.0 – 7.88.0 | — |
| curl | curl | 7.88.1 – 7.88.1 | — |
| curl | curl | 8.0.0 – 8.0.0 | — |
| curl | curl | 8.0.1 – 8.0.1 | — |
| curl | curl | 8.1.0 – 8.1.0 | — |
| curl | curl | 8.1.1 – 8.1.1 | — |
| curl | curl | 8.1.2 – 8.1.2 | — |
| curl | curl | 8.10.0 – 8.10.0 | — |
| curl | curl | 8.10.1 – 8.10.1 | — |
| curl | curl | 8.11.0 – 8.11.0 | — |
| curl | curl | 8.11.1 – 8.11.1 | — |
| curl | curl | 8.12.0 – 8.12.0 | — |
| curl | curl | 8.12.1 – 8.12.1 | — |
| curl | curl | 8.13.0 – 8.13.0 | — |
| curl | curl | 8.14.0 – 8.14.0 | — |
| curl | curl | 8.14.1 – 8.14.1 | — |
| curl | curl | 8.15.0 – 8.15.0 | — |
| curl | curl | 8.16.0 – 8.16.0 | — |
| curl | curl | 8.17.0 – 8.17.0 | — |
| curl | curl | 8.2.0 – 8.2.0 | — |
| curl | curl | 8.2.1 – 8.2.1 | — |
| curl | curl | 8.3.0 – 8.3.0 | — |
| curl | curl | 8.4.0 – 8.4.0 | — |
| curl | curl | 8.5.0 – 8.5.0 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cURL up to 8.17.0 OpenSSL access control (cd046f6c93b39d673a58c1864 / Nessus ID 282311)
vuldb·2026-05-03·CVSS 5.3
CVE-2025-14819 [MEDIUM] cURL up to 8.17.0 OpenSSL access control (cd046f6c93b39d673a58c1864 / Nessus ID 282311)
A vulnerability has been found in cURL up to 8.17.0 and classified as critical. This vulnerability affects unknown code of the component OpenSSL. The manipulation leads to improper access controls.
This vulnerability is documented as CVE-2025-14819. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
GHSA
GHSA-vqhr-m87q-9jqh: When doing TLS related transfers with reused easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
re
ghsa_unreviewed·2026-01-08
CVE-2025-14819 [MEDIUM] CWE-295 GHSA-vqhr-m87q-9jqh: When doing TLS related transfers with reused easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
re
When doing TLS related transfers with reused easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
OSV
CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally re
osv·2026-01-08·CVSS 5.3
CVE-2025-14819 [MEDIUM] CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally re
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: libcurl: Improper certificate validation due to cached TLS settings reuse
vendor_redhat·2026-01-07·CVSS 5.3
CVE-2025-14819 [MEDIUM] CWE-295 curl: libcurl: Improper certificate validation due to cached TLS settings reuse
curl: libcurl: Improper certificate validation due to cached TLS settings reuse
When doing TLS related transfers with reused easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
A flaw was found in libcurl. When handling secure connections (TLS) and reusing connection settings, libcurl could incorrectly apply a cached security setting related to certificate chain validation. This could allow libcurl to accept a server's security certificate that it should have otherwise rejected, potentially compromising the integrity of the sec
Debian
CVE-2025-14819: curl - When doing TLS related transfers with reused easy or multi handles and altering ...
vendor_debian·2025·CVSS 5.3
CVE-2025-14819 [MEDIUM] CVE-2025-14819: curl - When doing TLS related transfers with reused easy or multi handles and altering ...
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
Scope: local
bookworm: open
bullseye: resolved
forky: resolved (fixed in 8.18.0~rc3-1)
sid: resolved (fixed in 8.18.0~rc3-1)
trixie: open
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Wiz
CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14819 :
cURL vulnerability analysis and mitigation
CURLSSLOPT_NO_PARTIALCHAIN
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcurl-minimal-debuginfo
libcurl-devel-doc
Sources
Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026
Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026
Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026
Debian 1
Bugzilla
CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse
bugzilla·2025-12-31·CVSS 5.3
CVE-2025-14819 [MEDIUM] CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse
CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse
When doing TLS related transfers with re-used easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
2026-01-08
Published