CVE-2025-0665 – libcurl incorrectly closes the same eventfd fil... (How to Fix)

Q: What is the severity of CVE-2025-0665?

CVE-2025-0665 has a CVSS score of 9.8 (CRITICAL). libcurl incorrectly closes the same eventfd file descriptor twice during threaded name resolution cleanup, causing a use-after-free condition. This vulnerability affects applications using libcurl with threaded DNS resolution enabled, potentially allowing remote code execution or denial of service.

📋 TL;DR

libcurl incorrectly closes the same eventfd file descriptor twice during threaded name resolution cleanup, causing a use-after-free condition. This vulnerability affects applications using libcurl with threaded DNS resolution enabled, potentially allowing remote code execution or denial of service.

💻 Affected Systems

Products:

libcurl
curl command-line tool
Applications linking against libcurl

Versions: libcurl 8.9.0 to 8.10.0

Operating Systems: Linux, Unix-like systems with eventfd support

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when built with threaded DNS resolver enabled (CURLRES_THREADED). Many distributions disable this by default.

📦 What is this software?

Bootstrap Os by Netapp

View all CVEs affecting Bootstrap Os →

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service affecting curl-dependent services, potentially disrupting web requests or API calls.

🟢

If Mitigated

Limited impact with proper sandboxing and privilege separation, potentially only causing isolated process crashes.

🌐 Internet-Facing: HIGH - Applications accepting untrusted URLs or processing external data with libcurl are directly exposed.

🏢 Internal Only: MEDIUM - Internal services using libcurl could be exploited through lateral movement or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering threaded DNS resolution with specific timing conditions. No public exploits confirmed as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 8.11.0

Vendor Advisory: https://curl.se/docs/CVE-2025-0665.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 8.11.0 or later. 2. Rebuild applications linking against libcurl. 3. Restart affected services using libcurl.

🔧 Temporary Workarounds

Disable threaded DNS resolution

all

Configure libcurl to use synchronous DNS resolution instead of threaded resolver

curl_easy_setopt(curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4)
Or compile libcurl without CURLRES_THREADED support

🧯 If You Can't Patch

Implement network segmentation to isolate curl-dependent services
Use application sandboxing (seccomp, containers) to limit impact of potential exploitation

🔍 How to Verify

Check if Vulnerable:

Check libcurl version: curl --version | head -1. If version is between 8.9.0 and 8.10.0 inclusive, check if built with threaded resolver support.

Check Version:

curl --version | head -1

Verify Fix Applied:

Verify libcurl version is 8.11.0 or higher: curl --version | grep -E '^curl.*8\.(1[1-9]|[2-9][0-9])'

📡 Detection & Monitoring

Log Indicators:

Segmentation faults in curl processes
Unexpected process termination of curl-dependent applications
Kernel logs showing use-after-free events

Network Indicators:

Unusual DNS query patterns from applications using libcurl
Failed HTTP requests from curl-dependent services

SIEM Query:

process.name:"curl" AND event.action:"segmentation_fault" OR process.exit_code:139

📊 Metadata

CVE ID: CVE-2025-0665

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1341

EPSS Score: 11.93% exploit probability (93.6th percentile)

Published: February 5, 2025

Last Updated: July 30, 2025

🔗 References

https://curl.se/docs/CVE-2025-0665.html Vendor Advisory
https://curl.se/docs/CVE-2025-0665.json Vendor Advisory
https://hackerone.com/reports/2954286 Exploit,Issue Tracking,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/02/05/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/02/05/5 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20250306-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0665, you might also want to check these: