CVE-2025-10966

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-10966
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10966.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-10966
Aliases
Downstream
Related
Published
2025-11-07T08:15:39.617Z
Modified
2026-03-20T12:40:32.699674Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more.

References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Introduced
b8d1366852fd0034374c5de1e4968c7a224f77cc
Fixed
400fffa90f30c7a2dc762fa33009d24851bd2016
Database specific 
{
    "versions": [
        {
            "introduced": "7.69.0"
        },
        {
            "fixed": "8.17.0"
        }
    ]
}

Affected versions

Other
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_77_0
curl-7_78_0
curl-7_79_0
curl-7_79_1
curl-7_80_0
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
curl-7_84_0
curl-7_85_0
curl-7_86_0
curl-7_87_0
curl-7_88_0
curl-7_88_1
curl-8_0_0
curl-8_0_1
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_1_0
curl-8_1_1
curl-8_1_2
curl-8_2_0
curl-8_2_1
curl-8_3_0
curl-8_4_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10966.json"