WebSocket Vulnerability in curl Affects Multiple Versions
CVE-2025-10148

Currently unrated

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-10148?

The WebSocket implementation in curl has a vulnerability that does not update the 32-bit mask pattern for each new outgoing frame, resulting in a predictable mask. This flaw permits a malicious server to generate traffic that could be misinterpreted as legitimate HTTP traffic by proxies. Consequently, an attacker could poison the cache of such proxies, distributing manipulated content to all users. The risk of serving corrupted data underscores the necessity for immediate remedial actions to safeguard against exploitation.

Affected Version(s)

curl 8.15.0

curl 8.14.1

curl 8.14.0

References

https://curl.se/docs/CVE-2025-10148.json

https://curl.se/docs/CVE-2025-10148.html

https://hackerone.com/reports/3330839

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Calvin Ruocco (Vector Informatik GmbH)

Daniel Stenberg

Curl

What is CVE-2025-10148?

Affected Version(s)

References

Timeline

Credit