DEBIAN-CVE-2025-15079

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-15079

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-15079.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-15079

Upstream

CVE-2025-15079

Published

2026-01-08T10:15:47.100Z

Modified

2026-01-09T11:17:56.147532Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file.

References

https://security-tracker.debian.org/tracker/CVE-2025-15079

Affected packages

Debian:11 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.74.0-1.3

7.74.0-1.3+deb11u1

7.74.0-1.3+deb11u2

7.74.0-1.3+deb11u3

7.74.0-1.3+deb11u4

7.74.0-1.3+deb11u5

7.74.0-1.3+deb11u6

7.74.0-1.3+deb11u7~bpo11+1

7.74.0-1.3+deb11u7

7.74.0-1.3+deb11u8

7.74.0-1.3+deb11u9

7.74.0-1.3+deb11u10

7.74.0-1.3+deb11u11

7.74.0-1.3+deb11u12

7.74.0-1.3+deb11u13

7.74.0-1.3+deb11u14

7.74.0-1.3+deb11u15

7.74.0-1.3+deb11u16

7.79.1-1

7.79.1-2

7.79.1-3~exp1

7.79.1-3~exp2

7.80.0-1

7.80.0-2

7.80.0-3

7.81.0-1~bpo11+1

7.81.0-1

7.82.0-1

7.82.0-2~bpo11+1

7.82.0-2

7.83.0-1

7.83.1-1

7.83.1-2

7.84.0-1

7.84.0-2~bpo11+1

7.84.0-2

7.85.0-1~bpo11+1

7.85.0-1

7.86.0-1

7.86.0-2

7.86.0-3

7.87.0-1~bpo11+1

7.87.0-1

7.87.0-2~bpo11+1

7.87.0-2

7.88.1-1~bpo11+1

7.88.1-1

7.88.1-2~exp1

7.88.1-2~exp2

7.88.1-2~exp3

7.88.1-2~exp4

7.88.1-2

7.88.1-3

7.88.1-4

7.88.1-5

7.88.1-6

7.88.1-7~bpo11+1

7.88.1-7~bpo11+2

7.88.1-7~exp1

7.88.1-7

7.88.1-8~exp1

7.88.1-8

7.88.1-9

7.88.1-10

7.88.1-11

8.*

8.0.1-1~exp1

8.2.1-1

8.2.1-2~bpo12+1

8.2.1-2

8.3.0-1

8.3.0-2~bpo12+1

8.3.0-2~exp1

8.3.0-2

8.3.0-3

8.4.0-1

8.4.0-2~bpo12+1

8.4.0-2

8.5.0-1

8.5.0-1+exp1

8.5.0-2~bpo12+1

8.5.0-2

8.5.0-2+exp1

8.6.0-1

8.6.0-1.1

8.6.0-2

8.6.0-3

8.6.0-3.1~exp1

8.6.0-3.1~exp2

8.6.0-3.1

8.6.0-3.2

8.6.0-4

8.7.1-1

8.7.1-1+exp1

8.7.1-2

8.7.1-3

8.7.1-4

8.7.1-5~bpo12+1

8.7.1-5

8.7.1-5+exp1

8.8.0-1~bpo12+1

8.8.0-1

8.8.0-1+exp1

8.8.0-1+exp2

8.8.0-2

8.8.0-3

8.8.0-4

8.9.0-1

8.9.0-2

8.9.0-3

8.9.1-1

8.9.1-2~bpo12+1

8.9.1-2

8.10.0-1

8.10.0-2

8.10.1-1~bpo12+1

8.10.1-1

8.10.1-2

8.11.0-1

8.11.1-1~bpo12+1

8.11.1-1

8.12.0+git20250209.89ed161+ds-1~bpo12+1

8.12.0+git20250209.89ed161+ds-1

8.12.1-1

8.12.1-2~bpo12+1

8.12.1-2

8.12.1-3~bpo12+1

8.12.1-3

8.13.0~rc-1~exp1

8.13.0~rc-1~exp2

8.13.0~rc2-1

8.13.0~rc2-2

8.13.0~rc3-1

8.13.0~rc3-1+exp1

8.13.0-1

8.13.0-1+exp1

8.13.0-2

8.13.0-2+exp1

8.13.0-3

8.13.0-4

8.13.0-4+exp1

8.13.0-5~bpo12+1

8.13.0-5

8.13.0-5+exp1

8.14.0~rc1-1+exp1

8.14.0~rc2-1+exp1

8.14.0~rc3-1+exp1

8.14.0-1

8.14.0-1+exp1

8.14.1-1~bpo12+1

8.14.1-1

8.14.1-2~bpo12+1

8.14.1-2

8.14.1-2+exp1

8.15.0~rc1-1exp1

8.15.0~rc2-1~exp1

8.15.0~rc3-1~exp1

8.15.0-1~bpo13+1

8.15.0-1~exp1

8.15.0-1

8.16.0~rc1-1~exp1

8.16.0~rc2-1

8.16.0~rc2-2

8.16.0~rc3-1

8.16.0-1~bpo13+1

8.16.0-1

8.16.0-1+exp1

8.16.0-2

8.16.0-3

8.16.0-4~bpo13+1

8.16.0-4

8.17.0~rc1-1~exp1

8.17.0~rc2-1

8.17.0~rc3-1

8.17.0-1

8.17.0-2

8.17.0-3

8.18.0~rc1-1+exp1

8.18.0~rc2-1

8.18.0~rc3-1

8.18.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-15079.json"

Debian:12 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.88.1-10

7.88.1-10+deb12u1~bpo11+1

7.88.1-10+deb12u1

7.88.1-10+deb12u2

7.88.1-10+deb12u3~bpo11+1

7.88.1-10+deb12u3

7.88.1-10+deb12u4

7.88.1-10+deb12u5~bpo11+1

7.88.1-10+deb12u5

7.88.1-10+deb12u6~bpo11+1

7.88.1-10+deb12u6

7.88.1-10+deb12u7

7.88.1-10+deb12u8

7.88.1-10+deb12u9

7.88.1-10+deb12u11

7.88.1-10+deb12u12

7.88.1-10+deb12u13

7.88.1-10+deb12u14

7.88.1-11

8.*

8.0.1-1~exp1

8.2.1-1

8.2.1-2~bpo12+1

8.2.1-2

8.3.0-1

8.3.0-2~bpo12+1

8.3.0-2~exp1

8.3.0-2

8.3.0-3

8.4.0-1

8.4.0-2~bpo12+1

8.4.0-2

8.5.0-1

8.5.0-1+exp1

8.5.0-2~bpo12+1

8.5.0-2

8.5.0-2+exp1

8.6.0-1

8.6.0-1.1

8.6.0-2

8.6.0-3

8.6.0-3.1~exp1

8.6.0-3.1~exp2

8.6.0-3.1

8.6.0-3.2

8.6.0-4

8.7.1-1

8.7.1-1+exp1

8.7.1-2

8.7.1-3

8.7.1-4

8.7.1-5~bpo12+1

8.7.1-5

8.7.1-5+exp1

8.8.0-1~bpo12+1

8.8.0-1

8.8.0-1+exp1

8.8.0-1+exp2

8.8.0-2

8.8.0-3

8.8.0-4

8.9.0-1

8.9.0-2

8.9.0-3

8.9.1-1

8.9.1-2~bpo12+1

8.9.1-2

8.10.0-1

8.10.0-2

8.10.1-1~bpo12+1

8.10.1-1

8.10.1-2

8.11.0-1

8.11.1-1~bpo12+1

8.11.1-1

8.12.0+git20250209.89ed161+ds-1~bpo12+1

8.12.0+git20250209.89ed161+ds-1

8.12.1-1

8.12.1-2~bpo12+1

8.12.1-2

8.12.1-3~bpo12+1

8.12.1-3

8.13.0~rc-1~exp1

8.13.0~rc-1~exp2

8.13.0~rc2-1

8.13.0~rc2-2

8.13.0~rc3-1

8.13.0~rc3-1+exp1

8.13.0-1

8.13.0-1+exp1

8.13.0-2

8.13.0-2+exp1

8.13.0-3

8.13.0-4

8.13.0-4+exp1

8.13.0-5~bpo12+1

8.13.0-5

8.13.0-5+exp1

8.14.0~rc1-1+exp1

8.14.0~rc2-1+exp1

8.14.0~rc3-1+exp1

8.14.0-1

8.14.0-1+exp1

8.14.1-1~bpo12+1

8.14.1-1

8.14.1-2~bpo12+1

8.14.1-2

8.14.1-2+exp1

8.15.0~rc1-1exp1

8.15.0~rc2-1~exp1

8.15.0~rc3-1~exp1

8.15.0-1~bpo13+1

8.15.0-1~exp1

8.15.0-1

8.16.0~rc1-1~exp1

8.16.0~rc2-1

8.16.0~rc2-2

8.16.0~rc3-1

8.16.0-1~bpo13+1

8.16.0-1

8.16.0-1+exp1

8.16.0-2

8.16.0-3

8.16.0-4~bpo13+1

8.16.0-4

8.17.0~rc1-1~exp1

8.17.0~rc2-1

8.17.0~rc3-1

8.17.0-1

8.17.0-2

8.17.0-3

8.18.0~rc1-1+exp1

8.18.0~rc2-1

8.18.0~rc3-1

8.18.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-15079.json"

Debian:13 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.14.1-2

8.14.1-2+deb13u1

8.14.1-2+deb13u2

8.14.1-2+exp1

8.15.0~rc1-1exp1

8.15.0~rc2-1~exp1

8.15.0~rc3-1~exp1

8.15.0-1~bpo13+1

8.15.0-1~exp1

8.15.0-1

8.16.0~rc1-1~exp1

8.16.0~rc2-1

8.16.0~rc2-2

8.16.0~rc3-1

8.16.0-1~bpo13+1

8.16.0-1

8.16.0-1+exp1

8.16.0-2

8.16.0-3

8.16.0-4~bpo13+1

8.16.0-4

8.17.0~rc1-1~exp1

8.17.0~rc2-1

8.17.0~rc3-1

8.17.0-1

8.17.0-2

8.17.0-3

8.18.0~rc1-1+exp1

8.18.0~rc2-1

8.18.0~rc3-1

8.18.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-15079.json"

Debian:14 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.18.0~rc3-1

Affected versions

8.*

8.14.1-2

8.14.1-2+exp1

8.15.0~rc1-1exp1

8.15.0~rc2-1~exp1

8.15.0~rc3-1~exp1

8.15.0-1~bpo13+1

8.15.0-1~exp1

8.15.0-1

8.16.0~rc1-1~exp1

8.16.0~rc2-1

8.16.0~rc2-2

8.16.0~rc3-1

8.16.0-1~bpo13+1

8.16.0-1

8.16.0-1+exp1

8.16.0-2

8.16.0-3

8.16.0-4~bpo13+1

8.16.0-4

8.17.0~rc1-1~exp1

8.17.0~rc2-1

8.17.0~rc3-1

8.17.0-1

8.17.0-2

8.17.0-3

8.18.0~rc1-1+exp1

8.18.0~rc2-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-15079.json"