Login Sign Up

CVE-2025-10966

4.3 MEDIUM

📋 TL;DR

CVE-2025-10966 is a vulnerability in curl's SSH connection management when using SFTP with the wolfSSH backend, where host verification mechanisms were missing. This allows man-in-the-middle (MITM) attackers to intercept and potentially modify SFTP connections without detection. Affected users are those using curl with SFTP via wolfSSH backend in vulnerable versions.

💻 Affected Systems

Products:
  • curl
Versions: curl versions 8.9.0 through 8.10.0
Operating Systems: All operating systems where curl with wolfSSH backend is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SFTP connections using the wolfSSH backend; other SSH backends or protocols are not affected.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive data transfers, inject malicious files, or redirect connections to malicious servers, potentially leading to data theft, malware deployment, or unauthorized access.

🟠

Likely Case

MITM attackers intercepting SFTP connections in untrusted networks could read or modify transferred files, compromising data integrity and confidentiality.

🟢

If Mitigated

With proper network segmentation, encrypted internal networks, and certificate pinning, the risk is reduced to minimal impact on isolated systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to intercept SFTP connections; no authentication bypass is involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: curl 8.11.0

Vendor Advisory: https://curl.se/docs/CVE-2025-10966.html

Restart Required: No

Instructions:

1. Update curl to version 8.11.0 or later. 2. On Linux/macOS, use package manager (e.g., apt-get upgrade curl, brew upgrade curl). 3. On Windows, download from official curl website. 4. Recompile applications if statically linked.

🔧 Temporary Workarounds

Use alternative SSH backend

all

Switch to using libssh or libssh2 backend for SFTP connections instead of wolfSSH.

curl --version to check backend
Recompile curl with different SSH backend if needed

Disable SFTP usage

all

Avoid using SFTP protocol in curl commands where possible.

Replace SFTP URLs with HTTPS or other secure protocols

🧯 If You Can't Patch

  • Restrict SFTP connections to trusted networks using firewalls or VPNs.
  • Implement certificate pinning or use SSH keys with strict host checking in application code.

🔍 How to Verify

Check if Vulnerable:

Run 'curl --version' and check if version is between 8.9.0 and 8.10.0, and if wolfSSH backend is listed for SFTP.

Check Version:

curl --version | head -1

Verify Fix Applied:

After update, run 'curl --version' to confirm version is 8.11.0 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SFTP connection failures or warnings in curl logs
  • Unexpected host key mismatches in SSH/SFTP logs

Network Indicators:

  • Unencrypted or suspicious SFTP traffic patterns from curl processes
  • MITM detection alerts from network monitoring tools

SIEM Query:

source="curl" AND (protocol="SFTP" OR port=22) AND version BETWEEN "8.9.0" AND "8.10.0"

📊 Metadata

CVE ID: CVE-2025-10966
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 0.02% exploit probability (2.6th percentile)
Published: November 7, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON