5.3 CVE-2025-15079

Enriched by CISA Patch Exploit
 

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
https://nvd.nist.gov/vuln/detail/CVE-2025-15079

Categories

CWE-297 : Improper Validation of Certificate with Host Mismatch
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted. When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies. Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. Mobile banking application does not verify hostname, leading to financial loss. Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents. Software for electronic checking does not verify hostname, leading to financial loss. Cloud-support library written in Python uses incorrect regular expression when matching hostname. Web browser does not correctly handle '' character (NUL) in Common Name, allowing spoofing of https sites. Database program truncates the Common Name during hostname verification, allowing spoofing. Incorrect handling of '' character (NUL) in hostname verification allows spoofing. Mail server's incorrect handling of '' character (NUL) in hostname verification allows spoofing. LDAP server's incorrect handling of '' character (NUL) in hostname verification allows spoofing. Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function. Smartphone device does not verify hostname, allowing spoofing of mail services. E-commerce module does not verify hostname when connecting to payment site. Chat application does not validate hostname, leading to loss of privacy. Application uses third-party library that does not validate hostname. Cloud storage management application does not validate hostname. Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. SOAP platform does not verify the hostname. PHP library for payments does not verify the hostname. Merchant SDK for payments does not verify the hostname. Web browser does not validate Common Name, allowing spoofing of https sites.

References

2499f714-1537-4658-8207-48ae4bb9eae9 Patch Exploit

https://curl.se/docs/CVE-2025-15079.html
Vendor Advisory Patch
https://curl.se/docs/CVE-2025-15079.json
Vendor Advisory
https://hackerone.com/reports/3477116
Exploit Issue Tracking Third Party Advisory

af854a3a-2127-422b-91ae-364da2661108 Patch Exploit

http://www.openwall.com/lists/oss-security/2026/01/07/6
Mailing List Third Party Advisory Patch


 

AFFECTED (from MITRE)

Vendor Product Versions
curl curl
  • 8.17.0 ≤ 8.17.0 [affected]
  • 8.16.0 ≤ 8.16.0 [affected]
  • 8.15.0 ≤ 8.15.0 [affected]
  • 8.14.1 ≤ 8.14.1 [affected]
  • 8.14.0 ≤ 8.14.0 [affected]
  • 8.13.0 ≤ 8.13.0 [affected]
  • 8.12.1 ≤ 8.12.1 [affected]
  • 8.12.0 ≤ 8.12.0 [affected]
  • 8.11.1 ≤ 8.11.1 [affected]
  • 8.11.0 ≤ 8.11.0 [affected]
  • 8.10.1 ≤ 8.10.1 [affected]
  • 8.10.0 ≤ 8.10.0 [affected]
  • 8.9.1 ≤ 8.9.1 [affected]
  • 8.9.0 ≤ 8.9.0 [affected]
  • 8.8.0 ≤ 8.8.0 [affected]
  • 8.7.1 ≤ 8.7.1 [affected]
  • 8.7.0 ≤ 8.7.0 [affected]
  • 8.6.0 ≤ 8.6.0 [affected]
  • 8.5.0 ≤ 8.5.0 [affected]
  • 8.4.0 ≤ 8.4.0 [affected]
  • 8.3.0 ≤ 8.3.0 [affected]
  • 8.2.1 ≤ 8.2.1 [affected]
  • 8.2.0 ≤ 8.2.0 [affected]
  • 8.1.2 ≤ 8.1.2 [affected]
  • 8.1.1 ≤ 8.1.1 [affected]
  • 8.1.0 ≤ 8.1.0 [affected]
  • 8.0.1 ≤ 8.0.1 [affected]
  • 8.0.0 ≤ 8.0.0 [affected]
  • 7.88.1 ≤ 7.88.1 [affected]
  • 7.88.0 ≤ 7.88.0 [affected]
  • 7.87.0 ≤ 7.87.0 [affected]
  • 7.86.0 ≤ 7.86.0 [affected]
  • 7.85.0 ≤ 7.85.0 [affected]
  • 7.84.0 ≤ 7.84.0 [affected]
  • 7.83.1 ≤ 7.83.1 [affected]
  • 7.83.0 ≤ 7.83.0 [affected]
  • 7.82.0 ≤ 7.82.0 [affected]
  • 7.81.0 ≤ 7.81.0 [affected]
  • 7.80.0 ≤ 7.80.0 [affected]
  • 7.79.1 ≤ 7.79.1 [affected]
  • 7.79.0 ≤ 7.79.0 [affected]
  • 7.78.0 ≤ 7.78.0 [affected]
  • 7.77.0 ≤ 7.77.0 [affected]
  • 7.76.1 ≤ 7.76.1 [affected]
  • 7.76.0 ≤ 7.76.0 [affected]
  • 7.75.0 ≤ 7.75.0 [affected]
  • 7.74.0 ≤ 7.74.0 [affected]
  • 7.73.0 ≤ 7.73.0 [affected]
  • 7.72.0 ≤ 7.72.0 [affected]
  • 7.71.1 ≤ 7.71.1 [affected]
  • 7.71.0 ≤ 7.71.0 [affected]
  • 7.70.0 ≤ 7.70.0 [affected]
  • 7.69.1 ≤ 7.69.1 [affected]
  • 7.69.0 ≤ 7.69.0 [affected]
  • 7.68.0 ≤ 7.68.0 [affected]
  • 7.67.0 ≤ 7.67.0 [affected]
  • 7.66.0 ≤ 7.66.0 [affected]
  • 7.65.3 ≤ 7.65.3 [affected]
  • 7.65.2 ≤ 7.65.2 [affected]
  • 7.65.1 ≤ 7.65.1 [affected]
  • 7.65.0 ≤ 7.65.0 [affected]
  • 7.64.1 ≤ 7.64.1 [affected]
  • 7.64.0 ≤ 7.64.0 [affected]
  • 7.63.0 ≤ 7.63.0 [affected]
  • 7.62.0 ≤ 7.62.0 [affected]
  • 7.61.1 ≤ 7.61.1 [affected]
  • 7.61.0 ≤ 7.61.0 [affected]
  • 7.60.0 ≤ 7.60.0 [affected]
  • 7.59.0 ≤ 7.59.0 [affected]
  • 7.58.0 ≤ 7.58.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* >= 7.58.0 < 8.18.0

REMEDIATION

Patch

Url
https://curl.se/docs/CVE-2025-15079.html
http://www.openwall.com/lists/oss-security/2026/01/07/6

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://hackerone.com/reports/3477116

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry