JLSEC-2026-433

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-433.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-433.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2026-433
Upstream
  • EUVD-2025-16332
  • GHSA-x8ch-h5vv-q6cm
Published
2026-05-04T13:12:06.605Z
Modified
2026-05-04T13:32:21.521681867Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an...
Details

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Database specific 
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "database_specific": {
                "status": "Analyzed"
            },
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5025",
            "id": "CVE-2025-5025",
            "imported": "2026-05-02T08:39:49.325Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5025",
            "modified": "2025-07-30T19:41:37.987Z",
            "published": "2025-05-28T07:15:24.910Z"
        },
        {
            "imported": "2026-05-02T08:42:49.199Z",
            "published": "2025-05-28T09:31:26Z",
            "url": "https://api.github.com/advisories/GHSA-x8ch-h5vv-q6cm",
            "id": "GHSA-x8ch-h5vv-q6cm",
            "modified": "2025-07-30T21:32:41Z",
            "html_url": "https://github.com/advisories/GHSA-x8ch-h5vv-q6cm"
        },
        {
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-16332",
            "id": "EUVD-2025-16332",
            "imported": "2026-05-02T08:42:19Z",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-16332",
            "modified": "2025-05-30T16:19:53Z",
            "published": "2025-05-28T06:29:51Z"
        }
    ]
}
References

Affected packages

Julia / CURL_jll

Package

Name
CURL_jll
Purl
pkg:julia/CURL_jll?uuid=b21e61f3-bafc-59ac-ab14-4c5c62d6588d

Affected ranges

Type
SEMVER
Events
Introduced
8.5.0+0
Fixed
8.14.1+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-433.json"

Julia / LibCURL_jll

Package

Name
LibCURL_jll
Purl
pkg:julia/LibCURL_jll?uuid=deac9b47-8bc7-5906-a0fe-35ac56dc84c0

Affected ranges

Type
SEMVER
Events
Introduced
8.5.0+0
Fixed
8.14.1+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-433.json"