CVE-2025-11563

Source
https://cve.org/CVERecord?id=CVE-2025-11563
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-11563.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-11563
Downstream
Related
Published
2026-02-25T07:20:47.012Z
Modified
2026-07-11T03:53:39.889237586Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
wcurl path traversal with percent-encoded slashes
Details

URLs containing percent-encoded slashes (/ or \) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it.

This flaw only affects the wcurl command line tool.

Database specific
{
    "cna_assigner": "curl",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.17.0"
                },
                {
                    "last_affected": "8.17.0"
                },
                {
                    "introduced": "8.16.0"
                },
                {
                    "last_affected": "8.16.0"
                },
                {
                    "introduced": "8.15.0"
                },
                {
                    "last_affected": "8.15.0"
                },
                {
                    "introduced": "8.14.1"
                },
                {
                    "last_affected": "8.14.1"
                },
                {
                    "introduced": "8.14.0"
                },
                {
                    "last_affected": "8.14.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11563.json"
}
References

Affected packages

Git / github.com/curl/wcurl

Affected ranges

Type
GIT
Repo
https://github.com/curl/wcurl
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "2024-12-08"
        },
        {
            "fixed": "2025-11-09"
        }
    ],
    "cpe": "cpe:2.3:a:curl:wcurl:*:*:*:*:*:*:*:*"
}

Affected versions

v2024.*
v2024.12.08
v2025.*
v2025.02.24
v2025.04.20
v2025.05.26
v2025.09.27
v2025.11.04

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-11563.json"