CVE-2025-14819 — Improper Certificate Validation in Curl

CWE-295 — Improper Certificate Validation9 documents9 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 86.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl

Timeline

PublishedJan 8

Latest updateFeb 25

Description

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶NVDhaxx/curl7.87.0 — 8.18.0

▶Debianhaxx/curl< 8.18.0~rc3-1

▶CVEListV5curl/curl8.17.0 — 8.17.0+30

Patches

Patch: curl.se ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

CVEList

OpenSSL partial chain store policy bypass↗2026-01-08

▶

GHSA

GHSA-vqhr-m87q-9jqh: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally re↗2026-01-08

▶

OSV

CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally re↗2026-01-08

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2026-02-25

▶

Red Hat

curl: libcurl: Improper certificate validation due to cached TLS settings reuse↗2026-01-07

▶

Debian

CVE-2025-14819: curl - When doing TLS related transfers with reused easy or multi handles and altering ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse↗2025-12-31

▶