CURL-CVE-2025-14819
- Source
- https://curl.se/docs/CVE-2025-14819.html
- Import Source
- https://curl.se/docs/CURL-CVE-2025-14819.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2025-14819
- Aliases
- Published
- 2026-01-07T08:00:00Z
- Modified
- 2026-05-19T09:30:06.496997439Z
- Summary
- OpenSSL partial chain store policy bypass
- Details
-
When doing TLS related transfers with reused easy or multi handles and altering the
CURLSSLOPT_NO_PARTIALCHAINoption, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. - Database specific
{ "last_affected": "8.17.0", "award": { "currency": "USD", "amount": "505" }, "severity": "Low", "affects": "lib", "CWE": { "desc": "Improper Certificate Validation", "id": "CWE-295" }, "www": "https://curl.se/docs/CVE-2025-14819.html", "URL": "https://curl.se/docs/CVE-2025-14819.json", "package": "curl" }- References
-
- Credits
-
-
- Stanislav Fort (Aisle Research) - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.87.0Fixed8.18.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.87.0
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.15.0
8.16.0
8.17.0
8.2.0
8.2.1
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Other
curl-7_87_0
curl-7_88_0
curl-7_88_1
curl-8_0_0
curl-8_0_1
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_17_0
curl-8_1_0
curl-8_1_1
curl-8_1_2
curl-8_2_0
curl-8_2_1
curl-8_3_0
curl-8_4_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1
rc-8_18_0-1
rc-8_18_0-2