Server Certificate Public Key Pinning Flaw in libcurl with wolfSSL for HTTP/3 Connections
CVE-2025-5025
4.8MEDIUM
What is CVE-2025-5025?
libcurl's implementation of server certificate public key pinning for HTTPS transfers is compromised when using QUIC for HTTP/3 connections with wolfSSL. Due to an oversight, the certificate pinning verification is not executed, allowing users to connect to potentially malicious servers without being alerted. Although documentation indicates compatibility with wolfSSL, it fails to clarify that this vulnerability exists specifically for QUIC and HTTP/3, thus increasing the risk of server impersonation for unwitting users.
Affected Version(s)
curl 8.13.0
curl 8.12.1
curl 8.12.0