libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
{ "last_affected": "8.13.0", "award": { "amount": "2540", "currency": "USD" }, "package": "curl", "URL": "https://curl.se/docs/CVE-2025-4947.json", "severity": "Medium", "CWE": { "desc": "Improper Certificate Validation", "id": "CWE-295" }, "issue": "https://hackerone.com/reports/3150884", "affects": "both", "www": "https://curl.se/docs/CVE-2025-4947.html" }