DEBIAN-CVE-2025-13034

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-13034

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13034.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-13034

Upstream

CVE-2025-13034

Published

2026-01-08T10:15:45.407Z

Modified

2026-01-09T11:17:41.043087Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

References

https://security-tracker.debian.org/tracker/CVE-2025-13034

Affected packages

Debian:13 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.14.1-2

8.14.1-2+deb13u1

8.14.1-2+deb13u2

8.14.1-2+exp1

8.15.0~rc1-1exp1

8.15.0~rc2-1~exp1

8.15.0~rc3-1~exp1

8.15.0-1~bpo13+1

8.15.0-1~exp1

8.15.0-1

8.16.0~rc1-1~exp1

8.16.0~rc2-1

8.16.0~rc2-2

8.16.0~rc3-1

8.16.0-1~bpo13+1

8.16.0-1

8.16.0-1+exp1

8.16.0-2

8.16.0-3

8.16.0-4~bpo13+1

8.16.0-4

8.17.0~rc1-1~exp1

8.17.0~rc2-1

8.17.0~rc3-1

8.17.0-1

8.17.0-2

8.17.0-3

8.18.0~rc1-1+exp1

8.18.0~rc2-1

8.18.0~rc3-1

8.18.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13034.json"

Debian:14 / curl