curl wolfSSL QUIC Certificate Pinning Bypass (CVE-2025-5025)

Critical Vulnerability Information Vulnerability ID: CURL-CVE-2025-5025 Aliases: CVE-2025-5025 Summary: No QUIC certificate pinning with wolfSSL Modified Time: 2025-05-28T08:10:29.00Z Database-Specific Information: - Package Type: curl - Affected Scope: both - URL: https://curl.se/docs/CVE-2025-5025.json - WWW: https://curl.se/docs/CVE-2025-5025.html - Issue Report: https://hackerone.com/reports/3153497 CWE: - ID: CWE-295 - Description: Improper Certificate Validation Reward: - Amount: 2540 USD Last Affected Version: 8.13.0 Severity: Medium Publication Date: 2025-05-28T08:00:00.00Z Affected Version Range: - SEMVER: - Introduced: 8.5.0 - Fixed: 8.14.0 - GIT: - Introduced: 5f78cf503c786a1d48d13528dde038bccfa6c67c - Fixed: e1f65937a96a451292e9231339672797da86ecc5 List of Affected Versions: - 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0 Contributors: - Hiroki Kurosawa (Discoverer) - Stefan Eissing (Fix Developer) Details: - libcurl supports pinning of the server certificate public key during HTTPS transfers. Due to an oversight, this check is not performed when using wolfSSL as the TLS backend to connect to HTTP/3 QUIC. Documentation states that this option is compatible with wolfSSL, but does not specify that it does not apply to QUIC and HTTP/3. Since pinning can allow successful transmission if the pin is correct, users may unknowingly connect to a spoofed server.

Goal Reached Thanks to every supporter — we hit 100%!

curl wolfSSL QUIC Certificate Pinning Bypass (CVE-2025-5025)