CVE-2025-11563 – CVE-2025-11563 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-11563?

CVE-2025-11563 has a CVSS score of 4.6 (MEDIUM). CVE-2025-11563 is a path traversal vulnerability in wcurl where URLs containing percent-encoded slashes (like %2F or %5C) can trick the tool into saving output files outside the current directory. This allows attackers to write arbitrary files to unintended locations. Only users of the wcurl command-line tool are affected.

📋 TL;DR

CVE-2025-11563 is a path traversal vulnerability in wcurl where URLs containing percent-encoded slashes (like %2F or %5C) can trick the tool into saving output files outside the current directory. This allows attackers to write arbitrary files to unintended locations. Only users of the wcurl command-line tool are affected.

💻 Affected Systems

Products:

wcurl

Versions: All versions prior to the fix

Operating Systems: All platforms where wcurl runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the wcurl command-line tool, not libcurl or other curl implementations. Vulnerability requires user to run wcurl with a malicious URL.

📦 What is this software?

Wcurl by Curl

View all CVEs affecting Wcurl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could overwrite critical system files, configuration files, or create malicious executables in trusted directories, potentially leading to system compromise or data loss.

🟠

Likely Case

Attackers could write files to unexpected locations, potentially overwriting user files, creating backdoors, or planting malicious scripts that get executed later.

🟢

If Mitigated

With proper user permissions and sandboxing, impact is limited to the user's own files and directories they have write access to.

🌐 Internet-Facing: LOW - wcurl is typically used interactively or in scripts, not as an internet-facing service.

🏢 Internal Only: MEDIUM - The risk exists when users run wcurl with untrusted URLs, which could happen in automated scripts or when processing external input.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - simply craft a URL with percent-encoded slashes. No authentication or special privileges required beyond what the wcurl user already has.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check curl.se for latest patched version

Vendor Advisory: https://curl.se/docs/CVE-2025-11563.html

Restart Required: No

Instructions:

1. Visit https://curl.se to download latest wcurl version. 2. Replace existing wcurl binary with patched version. 3. Verify installation with version check.

🔧 Temporary Workarounds

URL validation before processing

all

Validate and sanitize URLs before passing to wcurl to reject those containing percent-encoded slashes

# Example bash script to check URL
url="$1"
if [[ "$url" =~ %2F|%5C ]]; then
    echo "Rejecting URL with encoded slashes"
    exit 1
fi
wcurl "$url"

Use alternative curl implementation

all

Use standard curl instead of wcurl where possible

curl -o output.txt "URL"

🧯 If You Can't Patch

Restrict wcurl usage to trusted users only
Implement strict file system permissions to limit where wcurl can write files

🔍 How to Verify

Check if Vulnerable:

Test with: wcurl -o test.txt 'http://example.com/test%2F..%2Fmalicious.txt' and check if file is created outside current directory

Check Version:

wcurl --version

Verify Fix Applied:

After patching, repeat the test above - file should be saved in current directory only

📡 Detection & Monitoring

Log Indicators:

wcurl commands with URLs containing %2F or %5C patterns
File writes to unexpected directories by wcurl process

Network Indicators:

Outbound requests from wcurl to URLs with encoded slashes

SIEM Query:

process.name:"wcurl" AND (cmdline:"%2F" OR cmdline:"%5C")

📊 Metadata

CVE ID: CVE-2025-11563

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-22

Published: February 25, 2026

Last Updated: February 26, 2026

🔗 References

https://curl.se/docs/CVE-2025-11563.html Patch,Vendor Advisory
https://curl.se/docs/CVE-2025-11563.json Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/04/1 Mailing List,Third Party Advisory
https://lists.debian.org/debian-release/2025/11/msg00504.html Mailing List,Third Party Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11563, you might also want to check these: