CVE-2025-15079
published 2026-01-08CVE-2025-15079: When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not…
PriorityP426medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EPSS
0.03%
9.1th percentile
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* known_hosts file.
Affected
80 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.58.0 – 7.58.0 | — |
| curl | curl | 7.59.0 – 7.59.0 | — |
| curl | curl | 7.60.0 – 7.60.0 | — |
| curl | curl | 7.61.0 – 7.61.0 | — |
| curl | curl | 7.61.1 – 7.61.1 | — |
| curl | curl | 7.62.0 – 7.62.0 | — |
| curl | curl | 7.63.0 – 7.63.0 | — |
| curl | curl | 7.64.0 – 7.64.0 | — |
| curl | curl | 7.64.1 – 7.64.1 | — |
| curl | curl | 7.65.0 – 7.65.0 | — |
| curl | curl | 7.65.1 – 7.65.1 | — |
| curl | curl | 7.65.2 – 7.65.2 | — |
| curl | curl | 7.65.3 – 7.65.3 | — |
| curl | curl | 7.66.0 – 7.66.0 | — |
| curl | curl | 7.67.0 – 7.67.0 | — |
| curl | curl | 7.68.0 – 7.68.0 | — |
| curl | curl | 7.69.0 – 7.69.0 | — |
| curl | curl | 7.69.1 – 7.69.1 | — |
| curl | curl | 7.70.0 – 7.70.0 | — |
| curl | curl | 7.71.0 – 7.71.0 | — |
| curl | curl | 7.71.1 – 7.71.1 | — |
| curl | curl | 7.72.0 – 7.72.0 | — |
| curl | curl | 7.73.0 – 7.73.0 | — |
| curl | curl | 7.74.0 – 7.74.0 | — |
| curl | curl | 7.75.0 – 7.75.0 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cURL up to 8.17.0 libssh access control (c92d2e14cfb0db662f958effd2ac86f99 / Nessus ID 282308)
vuldb·2026-05-03·CVSS 5.3
CVE-2025-15079 [MEDIUM] cURL up to 8.17.0 libssh access control (c92d2e14cfb0db662f958effd2ac86f99 / Nessus ID 282308)
A vulnerability was found in cURL up to 8.17.0 and classified as critical. This issue affects some unknown processing of the component libssh. The manipulation results in improper access controls.
This vulnerability is reported as CVE-2025-15079. The attacker must have access to the local network to execute the attack. No exploit exists.
It is suggested to upgrade the affected component.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
GHSA
GHSA-7q9p-cx8r-rh2q: When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*
ghsa_unreviewed·2026-01-08
CVE-2025-15079 [MEDIUM] CWE-297 GHSA-7q9p-cx8r-rh2q: When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* known_hosts file.
OSV
CVE-2025-15079: When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *
osv·2026-01-08·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079: When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: Host verification bypass during SSH transfers
vendor_redhat·2026-01-07·CVSS 5.3
CVE-2025-15079 [MEDIUM] CWE-358 curl: Host verification bypass during SSH transfers
curl: Host verification bypass during SSH transfers
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* known_hosts file.
A flaw was found in curl. When performing SSH-based transfers using SCP or SFTP, libcurl could mistakenly connect to hosts not listed in the user-specified knownhosts file. This occurs if the host is present in the libssh global knownhosts file, effectively bypassing the intended host verification. This could allow a remote attacker to connect to an untrusted host, potentially leading to information disclosure or man-in-the-middle attacks.
Statement: This vulnerability is rated Imp
Debian
CVE-2025-15079: curl - When doing SSH-based transfers using either SCP or SFTP, and setting the known_h...
vendor_debian·2025·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079: curl - When doing SSH-based transfers using either SCP or SFTP, and setting the known_h...
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.18.0~rc3-1)
sid: resolved (fixed in 8.18.0~rc3-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15079 :
cURL vulnerability analysis and mitigation
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the
libssh global known_hosts file.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
curl-debuginfo
libcurl-devel
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED
HackerOne
CVE-2025-15079: libssh global knownhost override
hackerone·2026-01-07·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079: libssh global knownhost override
CVE-2025-15079: libssh global knownhost override
## Summary:
libssh has `SSH_OPTIONS_GLOBAL_KNOWNHOSTS` that specifies a global known_hosts file that will be used if the host is not found from the file specified in `SSH_OPTIONS_KNOWNHOSTS` file. libcurl `CURLOPT_SSH_KNOWNHOSTS` doesn't specify an invalid (or `/dev/null`) path to `SSH_OPTIONS_GLOBAL_KNOWNHOSTS` resulting in libcurl accepting any host identities that might be specified in the default file. This is significant when user tries to limit the known hosts to ones specified in their own file, as the global file will be checked if no match is found from the user specified file.
By default this file is `/etc/ssh/ssh_known_hosts`, and thus not modifiable by non-privileged user (at least on major platforms). Thus in most situations t
Bugzilla
CVE-2025-15079 curl: Host verification bypass during SSH transfers
bugzilla·2025-12-31·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079 curl: Host verification bypass during SSH transfers
CVE-2025-15079 curl: Host verification bypass during SSH transfers
When doing SSH-based transfers using either SCP or SFTP, and setting the
knownhosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* knownhosts file.
2026-01-08
Published