Login Sign Up

CVE-2025-14017

6.3 MEDIUM

📋 TL;DR

CVE-2025-14017 is a thread safety vulnerability in libcurl's LDAPS implementation where TLS option changes in one thread affect all concurrent LDAPS transfers globally. This allows disabling certificate verification for one transfer to unintentionally disable verification for other threads, potentially enabling man-in-the-middle attacks. Affects applications using libcurl for multi-threaded LDAPS connections.

💻 Affected Systems

Products:
  • libcurl
  • curl
  • applications using libcurl for LDAPS
Versions: libcurl 7.12.0 through 8.9.0
Operating Systems: All operating systems where libcurl is used
Default Config Vulnerable: ✅ No
Notes: Only affects multi-threaded applications using LDAPS (LDAP over TLS). Single-threaded applications or those not using LDAPS are not affected.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform man-in-the-middle attacks against LDAPS connections, intercepting or modifying sensitive LDAP data including authentication credentials and directory information.

🟠

Likely Case

Accidental misconfiguration where disabling certificate verification for one transfer unintentionally disables it for others, potentially exposing sensitive LDAP queries to interception.

🟢

If Mitigated

Limited impact if proper network segmentation and certificate validation are already enforced at network level.

🌐 Internet-Facing: MEDIUM - LDAPS connections to internet-facing services could be intercepted if certificate verification is disabled.
🏢 Internal Only: MEDIUM - Internal LDAPS connections could be compromised if attackers gain network access and certificate verification is disabled.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to control TLS options in one thread while other threads are performing LDAPS transfers. This typically requires application-level access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 8.10.0

Vendor Advisory: https://curl.se/docs/CVE-2025-14017.html

Restart Required: Yes

Instructions:

1. Identify applications using libcurl
2. Update libcurl to version 8.10.0 or later
3. Recompile applications if using static linking
4. Restart affected services

🔧 Temporary Workarounds

Disable multi-threaded LDAPS

all

Configure applications to use single-threaded LDAPS connections or avoid LDAPS entirely

Application-specific configuration required

Enforce certificate verification at application level

all

Implement additional certificate validation logic in application code

Application-specific implementation required

🧯 If You Can't Patch

  • Isolate LDAPS connections to trusted networks only
  • Implement network-level TLS inspection and certificate validation

🔍 How to Verify

Check if Vulnerable:

Check libcurl version: curl --version | grep libcurl

Check Version:

curl --version | grep libcurl

Verify Fix Applied:

Verify libcurl version is 8.10.0 or higher: curl --version | grep libcurl

📡 Detection & Monitoring

Log Indicators:

  • LDAPS connection failures
  • Certificate validation errors
  • Unexpected LDAP query results

Network Indicators:

  • Unencrypted LDAP traffic after LDAPS initiation
  • Suspicious certificate changes during LDAPS sessions

SIEM Query:

source="*ldap*" AND (event="certificate_error" OR event="tls_error")

📊 Metadata

CVE ID: CVE-2025-14017
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score: 0.01% exploit probability (0.5th percentile)
Published: January 8, 2026
Last Updated: January 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON