Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.
There is no other way for the application to escape or exit this loop other than killing the thread/process.
This might be used to DoS libcurl-using application.
{ "package": "curl", "award": { "currency": "USD", "amount": "505" }, "issue": "https://hackerone.com/reports/3168039", "CWE": { "id": "CWE-835", "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "URL": "https://curl.se/docs/CVE-2025-5399.json", "last_affected": "8.14.0", "severity": "Low", "affects": "lib", "www": "https://curl.se/docs/CVE-2025-5399.html" }