AZL-62038

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-62038.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-62038

Upstream

CVE-2025-5025

Published

2025-05-28T07:15:24Z

Modified

2026-04-01T05:19:58.275509Z

Summary

CVE-2025-5025 affecting package cmake for versions less than 3.30.3-6

Details

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5025

Affected packages

Azure Linux:3 / cmake

Package

Name: cmake
Purl: pkg:rpm/azure-linux/cmake

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.30.3-6

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-62038.json"