CVE-2025-4947
published 2025-05-28CVE-2025-4947: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it…
PriorityP431medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.07%
22.9th percentile
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 8.10.0 – 8.10.0 | — |
| curl | curl | 8.10.1 – 8.10.1 | — |
| curl | curl | 8.11.0 – 8.11.0 | — |
| curl | curl | 8.11.1 – 8.11.1 | — |
| curl | curl | 8.12.0 – 8.12.0 | — |
| curl | curl | 8.12.1 – 8.12.1 | — |
| curl | curl | 8.13.0 – 8.13.0 | — |
| curl | curl | 8.8.0 – 8.8.0 | — |
| curl | curl | 8.9.0 – 8.9.0 | — |
| curl | curl | 8.9.1 – 8.9.1 | — |
| debian | curl | < curl 8.14.0-1 (forky) | curl 8.14.0-1 (forky) |
| haxx | curl | >= 0 < 8.14.0-1 | 8.14.0-1 |
| haxx | curl | >= 0 < 8.14.0-1 | 8.14.0-1 |
| haxx | curl | >= 8.8.0 < 8.14.0 | 8.14.0 |
| msrc | azl3_cmake_3.30.3-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_curl_8.11.1-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_mysql_8.0.41-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_curl_8.8.0-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_mysql_8.0.41-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv6.5MEDIUM
vendor_debian6.5LOW
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppfq-jg49-mqj4: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL
ghsa_unreviewed·2025-05-28
CVE-2025-4947 [MEDIUM] CWE-295 GHSA-ppfq-jg49-mqj4: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
OSV
CVE-2025-4947: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL
osv·2025-05-28·CVSS 6.5
CVE-2025-4947 [MEDIUM] CVE-2025-4947: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Red Hat
libcurl: curl: QUIC certificate check skip with wolfSSL
vendor_redhat·2025-05-28·CVSS 6.5
CVE-2025-4947 [MEDIUM] CWE-295 libcurl: curl: QUIC certificate check skip with wolfSSL
libcurl: curl: QUIC certificate check skip with wolfSSL
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
A vulnerability was found in curl. When using WolfSSL as the TLS library, it skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. This can result in curl being unable to detect illegitimate servers or man-in-the-middle attacks, potentially leading to unauthorized connections to malicious hosts or the interception of sensitive communications.
This issue only affects instances of curl and libcurl using WolfSSL as the backend TLS library.
Statement: This vulne
Microsoft
QUIC certificate check skip with wolfSSL
vendor_msrc·2025-05-13·CVSS 6.5
CVE-2025-4947 [MEDIUM] CWE-295 QUIC certificate check skip with wolfSSL
QUIC certificate check skip with wolfSSL
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
curl: curl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en
Debian
CVE-2025-4947: curl - libcurl accidentally skips the certificate verification for QUIC connections whe...
vendor_debian·2025·CVSS 6.5
CVE-2025-4947 [MEDIUM] CVE-2025-4947: curl - libcurl accidentally skips the certificate verification for QUIC connections whe...
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 8.14.0-1)
sid: resolved (fixed in 8.14.0-1)
trixie: resolved (fixed in 8.14.0-1)
Citrix
Citrix Security Bulletin CTX140984
vendor_citrix·CVSS 10.0
CVE-2014-4947 [CRITICAL] Citrix Security Bulletin CTX140984
Citrix Security Bulletin CTX140984
CVE References: CVE-2014-4947, CVE-2014-4948, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-4947 libcurl: curl: QUIC certificate check skip with wolfSSL
bugzilla·2025-05-28·CVSS 6.5
CVE-2025-4947 [MEDIUM] CVE-2025-4947 libcurl: curl: QUIC certificate check skip with wolfSSL
CVE-2025-4947 libcurl: curl: QUIC certificate check skip with wolfSSL
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
HackerOne
CVE-2025-4947: QUIC certificate check skip with wolfSSL
hackerone·2025-05-28·CVSS 6.5
CVE-2025-4947 [MEDIUM] CVE-2025-4947: QUIC certificate check skip with wolfSSL
CVE-2025-4947: QUIC certificate check skip with wolfSSL
## Summary:
When using WolfSSL as the TLS backend, there is an issue where the CN or SAN in the certificate is not verified when connecting to an IP address over HTTP/3.
wolfSSL_X509_check_host is only called when `peer->sni` is not NULL.
However, when an IP address is specified, `peer->sni` is NULL, so the verification does not occur.
Curl_vquic_tls_verify_peer()
```
#elif defined(USE_WOLFSSL)
(void)data;
if(conn_config->verifyhost) {
if(peer->sni) {
WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->wssl.ssl);
if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
== WOLFSSL_FAILURE) {
result = CURLE_PEER_FAILED_VERIFICATION;
}
wolfSSL_X509_free(cert);
}
}
#endif
```
## Affected version
```
curl -V
WARNING:
2025-05-28
Published