CURL-CVE-2025-5399

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-5399.html

Import Source

https://curl.se/docs/CURL-CVE-2025-5399.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2025-5399

Aliases

CVE-2025-5399

Published

2025-06-04T08:00:00Z

Modified

2025-06-04T07:44:49Z

Summary

WebSocket endless loop

Details

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.

There is no other way for the application to escape or exit this loop other than killing the thread/process.

This might be used to DoS libcurl-using application.

Database specific

{
    "CWE": {
        "id": "CWE-835",
        "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')"
    },
    "award": {
        "amount": "505",
        "currency": "USD"
    },
    "URL": "https://curl.se/docs/CVE-2025-5399.json",
    "affects": "lib",
    "package": "curl",
    "severity": "Low",
    "issue": "https://hackerone.com/reports/3168039",
    "www": "https://curl.se/docs/CVE-2025-5399.html",
    "last_affected": "8.14.0"
}

References

Credits

- z2_ on hackerone - FINDER
- z2_ on hackerone - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.13.0

Fixed

8.14.1

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

3588df9478d7c27046b34cdb510728a26bedabc7

Fixed

d1145df24de8f80e6b167fbc4f28b86bcd0c6832

Affected versions

8.*

8.13.0

8.14.0