CVE-2025-5399: Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless…

CVE-2025-5399 [HIGH] CWE-835 GHSA-8h93-38hx-vv92: Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

CVE-2025-5399 [HIGH] CVE-2025-5399: Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

CVE-2025-5399 [HIGH] CVE-2025-5399: Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

CVE-2025-5399 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Core (MySQL Server) — CVE-2025-5399 Oracle Oracle Communications Applications Risk Matrix: Core (MySQL Server) vulnerability CVE: CVE-2025-5399 CVSS: 4.5 Protocol: HTTP Remote exploit: No Affected versions: Network Advisory: cpuoct2025 (OCT 2025)

CVE-2025-5399 [HIGH] Oracle Oracle MySQL Risk Matrix: Server: Packaging (curl) — CVE-2025-5399 Oracle Oracle MySQL Risk Matrix: Server: Packaging (curl) vulnerability CVE: CVE-2025-5399 CVSS: 4.3 Protocol: MySQL Protocol Remote exploit: Yes Affected versions: Network Advisory: cpujul2025 (JUL 2025)

CVE-2025-5399 [HIGH] CWE-835 curl: libcurl: WebSocket endless loop curl: libcurl: WebSocket endless loop Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. A flaw was found in libcurl's WebSocket handling. This vulnerability allows a malicious server to cause an applicaiton level denial of service (DoS) by triggering an infinite busy-loop, effectively trapping the application thread, via a specially crafted WebSocket packet when "auto-pong" is enabled. Statement: The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to

CVE-2025-5399 [HIGH] CVE-2025-5399: curl - Due to a mistake in libcurl's WebSocket code, a malicious server can send a part... Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.14.1-1) sid: resolved (fixed in 8.14.1-1) trixie: resolved (fixed in 8.14.1-1)

CVE-2025-5399 [HIGH] CVE-2025-5399 curl: libcurl: WebSocket endless loop CVE-2025-5399 curl: libcurl: WebSocket endless loop Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Discussion: When the flow of the web always tries to invade the device in a path that can be clicked wrong. How to exploit the above measure? https://unoonlinefree.io/ --- This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:15699 https://access.redhat.com/errata/RHSA-2025:15699 --- This issue has been addressed in the following products: Red Hat Enterprise Linux 9

CVE-2025-5399 [HIGH] CVE-2025-5399: WebSocket endless loop CVE-2025-5399: WebSocket endless loop The function `curl_ws_send()` in libcurl on commit [12d13b84fa40aa657b83d5458944dbd9b978fb7e](https://github.com/curl/curl/blob/12d13b84fa40aa657b83d5458944dbd9b978fb7e/lib/ws.c) contains an infinite loop that can be triggered by a malicious server under specific circumstances. If an application uses `curl_ws_recv()` and `curl_ws_send()` to communicate with a websocket server, a malicious server can send a carefully timed PING message while the client is constructing a frame via `CURLWS_OFFSET` that leads to the next `curl_ws_send()` invocation not terminating a loop that flushes data. The affected code is in file `lib/ws.c` in function `curl_ws_send()` on [lines 1376 - 1419](https://github.com/curl/curl/blob/12d13b84fa40aa657b83d5458944dbd9b978fb7e/