CVE-2025-10148 – A vulnerability in curl's WebSocket implementat... (How to Fix)

📋 TL;DR

A vulnerability in curl's WebSocket implementation uses a fixed 32-bit mask pattern for all outgoing frames instead of generating new random masks per frame as required by the WebSocket specification. This allows malicious servers to manipulate traffic that could be interpreted by proxies as legitimate HTTP content, potentially poisoning proxy caches. Affected systems include any using vulnerable curl versions with WebSocket functionality enabled.

💻 Affected Systems

Products:

curl

Versions: curl 8.8.0 to 8.9.0

Operating Systems: All platforms running affected curl versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WebSocket functionality; standard HTTP/HTTPS usage is not vulnerable.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious servers poison proxy caches with arbitrary content that gets served to all users of that proxy, enabling widespread content manipulation and potential credential theft.

🟠

Likely Case

Targeted cache poisoning attacks against specific organizations using vulnerable curl versions with transparent proxies, leading to content manipulation for limited user groups.

🟢

If Mitigated

Minimal impact if proxies validate WebSocket traffic properly or if vulnerable curl versions are not used with WebSocket functionality.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious WebSocket server and specific proxy configurations; not trivial but feasible for determined attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: curl 8.10.0

Vendor Advisory: https://curl.se/docs/CVE-2025-10148.html

Restart Required: No

Instructions:

1. Download curl 8.10.0 or later from https://curl.se/download.html
2. Compile and install according to your platform's instructions
3. Verify installation with 'curl --version'

🔧 Temporary Workarounds

Disable WebSocket Support

all

Disable WebSocket functionality in curl if not required

Recompile curl with --disable-websockets configure option

🧯 If You Can't Patch

Configure proxies to reject or properly validate WebSocket traffic
Use alternative WebSocket clients or libraries instead of curl's WebSocket implementation

🔍 How to Verify

Check if Vulnerable:

Run 'curl --version' and check if version is between 8.8.0 and 8.9.0 inclusive

Check Version:

curl --version | head -1

Verify Fix Applied:

Run 'curl --version' and confirm version is 8.10.0 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual WebSocket traffic patterns
Proxy cache entries with unexpected content

Network Indicators:

WebSocket traffic with predictable mask patterns
Unexpected HTTP responses from proxy caches

SIEM Query:

WebSocket traffic analysis showing consistent mask values across multiple frames

📊 Metadata

CVE ID: CVE-2025-10148

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score: 0.08% exploit probability (22.4th percentile)

Published: September 12, 2025

Last Updated: January 20, 2026

🔗 References

https://curl.se/docs/CVE-2025-10148.html Vendor Advisory,Patch
https://curl.se/docs/CVE-2025-10148.json Vendor Advisory
https://hackerone.com/reports/3330839 Issue Tracking,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/2 Mailing List,Third Party Advisory,Patch
http://www.openwall.com/lists/oss-security/2025/09/10/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON