CVE-2025-13034
📋 TL;DR
A certificate pinning bypass vulnerability in curl allows attackers to impersonate servers when specific conditions are met. The vulnerability affects users who explicitly disable standard certificate verification while using QUIC with ngtcp2 built with GnuTLS. This could lead to man-in-the-middle attacks against affected curl connections.
💻 Affected Systems
- curl
- libcurl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept and manipulate sensitive data transmitted via curl, including authentication credentials, API keys, and other confidential information, leading to data breaches or unauthorized access.
Likely Case
Targeted man-in-the-middle attacks against specific curl users who have misconfigured their certificate verification settings, potentially compromising sensitive but non-critical data.
If Mitigated
No impact for users with proper certificate verification enabled or who aren't using the specific QUIC/ngtcp2/GnuTLS configuration.
🎯 Exploit Status
Exploitation requires man-in-the-middle positioning and knowledge of the specific vulnerable configuration. No public exploits have been reported as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libcurl 8.10.0
Vendor Advisory: https://curl.se/docs/CVE-2025-13034.html
Restart Required: No
Instructions:
1. Update curl to version 8.10.0 or later. 2. For Linux systems: Use package manager (apt-get upgrade curl, yum update curl, etc.). 3. For compiled installations: Download and compile from https://curl.se/download.html. 4. Verify the update with 'curl --version'.
🔧 Temporary Workarounds
Enable standard certificate verification
allEnsure CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are enabled (default behavior) to prevent the vulnerable condition.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
Avoid QUIC with GnuTLS ngtcp2
allUse alternative protocols or TLS backends if QUIC with ngtcp2/GnuTLS is not required.
🧯 If You Can't Patch
- Ensure standard certificate verification is always enabled (CURLOPT_SSL_VERIFYPEER=true, CURLOPT_SSL_VERIFYHOST=2)
- Monitor network traffic for unexpected certificate changes or man-in-the-middle indicators
🔍 How to Verify
Check if Vulnerable:
Check curl version with 'curl --version'. If version is between 8.8.0 and 8.9.0 inclusive, and you use QUIC with ngtcp2/GnuTLS with certificate verification disabled, you are vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
Run 'curl --version' and confirm version is 8.10.0 or higher. Test certificate pinning functionality with QUIC connections.📡 Detection & Monitoring
Log Indicators:
- Failed certificate pinning checks in curl logs
- Unexpected certificate changes during QUIC sessions
Network Indicators:
- Man-in-the-middle activity between curl clients and servers
- Certificate mismatches in encrypted QUIC traffic
SIEM Query:
source="curl_logs" AND ("certificate verification failed" OR "pinned public key mismatch")