CVE-2025-15224
published 2026-01-08CVE-2025-15224: When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a…
PriorityP414low3.1CVSS 3.1
AVNACHPRNUIRSUCNILAN
EPSS
0.06%
20.4th percentile
When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
Affected
80 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.58.0 – 7.58.0 | — |
| curl | curl | 7.59.0 – 7.59.0 | — |
| curl | curl | 7.60.0 – 7.60.0 | — |
| curl | curl | 7.61.0 – 7.61.0 | — |
| curl | curl | 7.61.1 – 7.61.1 | — |
| curl | curl | 7.62.0 – 7.62.0 | — |
| curl | curl | 7.63.0 – 7.63.0 | — |
| curl | curl | 7.64.0 – 7.64.0 | — |
| curl | curl | 7.64.1 – 7.64.1 | — |
| curl | curl | 7.65.0 – 7.65.0 | — |
| curl | curl | 7.65.1 – 7.65.1 | — |
| curl | curl | 7.65.2 – 7.65.2 | — |
| curl | curl | 7.65.3 – 7.65.3 | — |
| curl | curl | 7.66.0 – 7.66.0 | — |
| curl | curl | 7.67.0 – 7.67.0 | — |
| curl | curl | 7.68.0 – 7.68.0 | — |
| curl | curl | 7.69.0 – 7.69.0 | — |
| curl | curl | 7.69.1 – 7.69.1 | — |
| curl | curl | 7.70.0 – 7.70.0 | — |
| curl | curl | 7.71.0 – 7.71.0 | — |
| curl | curl | 7.71.1 – 7.71.1 | — |
| curl | curl | 7.72.0 – 7.72.0 | — |
| curl | curl | 7.73.0 – 7.73.0 | — |
| curl | curl | 7.74.0 – 7.74.0 | — |
| curl | curl | 7.75.0 – 7.75.0 | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
osv5.3MEDIUM
vendor_ubuntu5.3MEDIUM
vendor_debian3.1LOW
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cURL up to 8.17.0 libssh improper authentication (c92d2e14cfb0db662f958effd2ac86f99 / Nessus ID 282312)
vuldb·2026-05-03·CVSS 3.1
CVE-2025-15224 [LOW] cURL up to 8.17.0 libssh improper authentication (c92d2e14cfb0db662f958effd2ac86f99 / Nessus ID 282312)
A vulnerability was found in cURL up to 8.17.0. It has been classified as critical. Impacted is an unknown function of the component libssh. This manipulation causes improper authentication.
This vulnerability appears as CVE-2025-15224. The attack requires local access. There is no available exploit.
Upgrading the affected component is recommended.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
OSV
CVE-2025-15224: When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usin
osv·2026-01-08·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224: When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usin
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
GHSA
GHSA-hccr-q52r-4w88: When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate usin
ghsa_unreviewed·2026-01-08
CVE-2025-15224 [LOW] CWE-287 GHSA-hccr-q52r-4w88: When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate usin
When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: libssh key passphrase bypass without agent set
vendor_redhat·2026-01-07·CVSS 3.1
CVE-2025-15224 [LOW] CWE-305 curl: libssh key passphrase bypass without agent set
curl: libssh key passphrase bypass without agent set
When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
A flaw was found in libcurl. When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
Statement: This vulnerability is rated Low for Red Hat products. The flaw in libcurl, when built with the libssh backend, allows it to wrongly attempt authentication via a locally running SSH agent during public key authentication for SCP or SFTP transfers. However, successful authentication still requires the SSH agent to possess the correct passphra
Debian
CVE-2025-15224: curl - When doing SSH-based transfers using either SCP or SFTP, and asked to do public ...
vendor_debian·2025·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224: curl - When doing SSH-based transfers using either SCP or SFTP, and asked to do public ...
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.18.0-1)
sid: resolved (fixed in 8.18.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15224 :
cURL vulnerability analysis and mitigation
When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
Source : NVD
## 3.1
Score
Published January 8, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
curl
libcurl4
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026
Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026
HackerOne
CVE-2025-15224: libssh key passphrase bypass without agent set
hackerone·2026-01-07·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224: libssh key passphrase bypass without agent set
CVE-2025-15224: libssh key passphrase bypass without agent set
## Summary:
libcurl libssh backend `CURLOPT_SSH_AUTH_TYPES` doesn't implement `CURLSSH_AUTH_AGENT` flag correctly. Rather if `CURLSSH_AUTH_PUBLICKEY` is set, the implementation acts as if `CURLSSH_AUTH_AGENT` is always implicitly defined, and thus no key passphrase is required for authentication.
As a result if the user has ssh-agent /pageant running, libcurl using application that specifically does not set `CURLSSH_AUTH_AGENT` will still use the ssh-agent / pageant for authentication bypassing the requirement for knowing the key passphrase.
## Affected version
8.17.0
## Steps To Reproduce:
1. Configure and build libcurl with `--with-libssh`
2. Compile the following proof-of-concept app:
```
#include
int main(void)
{
CURL *
Bugzilla
CVE-2025-15224 curl: libssh key passphrase bypass without agent set
bugzilla·2025-12-31·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224 curl: libssh key passphrase bypass without agent set
CVE-2025-15224 curl: libssh key passphrase bypass without agent set
This flaw only exists when libcurl is built to use the libssh backend, not the
libssh2 based one. This problem happened because libssh has a somewhat
surprising API choice where they fall back to agent authentication.
It should be noted that the authentication still only succeeds if the local
SSH agent actually has the correct passphrase.
2026-01-08
Published