Key Information Vulnerability Overview CVE ID: CVE-2025-5025 Vulnerability Name: No QUIC certificate pinning with wolfSSL Reward Amount: 2540 USD Vulnerability Details Description: libcurl supports pinning the server certificate public key during HTTPS transfers, but this check is not performed when using wolfSSL as the TLS backend for QUIC over HTTP/3. Impact: Users may inadvertently connect to spoofed servers without realizing it. CWE ID: CWE-295: Improper Certificate Validation Severity: Medium Affected Versions Affected Versions: curl 8.5.0 to 8.13.0 Unaffected Versions: curl = 8.14.0 Introduced in: Related commit Solution Fixed Version: curl 8.14.0 Fix Commit: Related commit Recommendations 1. Upgrade curl to version 8.14.0 2. Apply the patch to your local version 3. Avoid using HTTP/3 or certificate pinning features with curl built using wolfSSL Timeline Report Date: May 19, 2025 Disclosure Date: May 28, 2025 Acknowledgments Reporter: Hiroki Kurosawa Fixer: Stefan Eissing