Critical Vulnerability Information Vulnerability ID: CURL-CVE-2025-4947 Aliases: CVE-2025-4947 Summary: QUIC certificate validation skip issue related to wolfSSL Modified Time: 2025-05-28T08:10:29.00Z Database-specific Information: - Package Type: both - URL: https://curl.se/docs/CVE-2025-4947.json - Website: https://curl.se/docs/CVE-2025-4947.html - Issue Report: https://hackerone.com/reports/3150884 CWE: - ID: CWE-295 - Description: Improper Certificate Validation Reward: - Amount: 2540 USD Last Affected Version: 8.13.0 Severity: Medium Release Date: 2025-05-28T08:00:00.00Z Affected Version Range: - SEMVER: 8.8.0 to 8.14.0 - GIT: from 4c46e277b2a0c0489de0e0fcb91f315c62f0369c to a85f1df4803bbd272905c9e712537b41afeafbd3 Specific Affected Versions: 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0 Contributors: - Discoverer: Hiroki Kurosawa - Fix Developer: Stefan Eissing Details: libcurl unexpectedly skips certificate validation for QUIC connections when connecting to a host specified as an IP address in the URL. As a result, it cannot detect impersonators or man-in-the-middle attacks.