Description
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5Attack Vector: Network
Complexity: High
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: None
Affected Packages3 packages
🔴Vulnerability Details
3GHSAGHSA-x8ch-h5vv-q6cm: libcurl supports *pinning* of the server certificate public key for HTTPS transfers↗2025-05-28 OSVCVE-2025-5025: libcurl supports *pinning* of the server certificate public key for HTTPS transfers↗2025-05-28 CVEListNo QUIC certificate pinning with wolfSSL↗2025-05-28 📋Vendor Advisories
3Red Hatcurl: libcurl: QUIC Certificate Pinning Bypass↗2025-05-28 MicrosoftNo QUIC certificate pinning with wolfSSL↗2025-05-13 DebianCVE-2025-5025: curl - libcurl supports *pinning* of the server certificate public key for HTTPS transf...↗2025 💬Community
1HackerOneCVE-2025-5025: No QUIC certificate pinning with wolfSSL↗2025-05-28