CVE-2025-15079
📋 TL;DR
This vulnerability in libcurl allows SSH-based transfers (SCP/SFTP) to accept connections to hosts not listed in the specified known_hosts file if those hosts exist in the global libssh known_hosts file. This affects applications using libcurl with SSH support and custom known_hosts configurations, potentially enabling man-in-the-middle attacks.
💻 Affected Systems
- libcurl
- Applications using libcurl with SSH support
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →⚠️ Risk & Real-World Impact
Worst Case
Man-in-the-middle attacker intercepts SSH transfers, potentially stealing credentials or sensitive data in transit.
Likely Case
Attackers could redirect connections to malicious servers, compromising data integrity and confidentiality of SSH transfers.
If Mitigated
With proper host verification and network segmentation, impact is limited to potential connection redirection within controlled environments.
🎯 Exploit Status
Exploitation requires ability to intercept SSH connections and knowledge of target's SSH configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libcurl 8.10.0
Vendor Advisory: https://curl.se/docs/CVE-2025-15079.html
Restart Required: No
Instructions:
1. Update libcurl to version 8.10.0 or later. 2. Recompile applications using libcurl if statically linked. 3. Restart applications using libcurl.
🔧 Temporary Workarounds
Use strict host key checking
allConfigure libcurl to use strict host key checking and disable fallback to global known_hosts
curl_easy_setopt(curl, CURLOPT_SSH_KNOWNHOSTS, "/path/to/known_hosts");
curl_easy_setopt(curl, CURLOPT_SSH_AUTH_TYPES, CURLSSH_AUTH_PUBLICKEY);
Clear global known_hosts file
linuxRemove or secure the global libssh known_hosts file to prevent fallback
rm ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
🧯 If You Can't Patch
- Disable SSH/SCP/SFTP transfers in affected applications
- Implement network-level controls to restrict SSH connections to trusted hosts only
🔍 How to Verify
Check if Vulnerable:
Check libcurl version and verify if SSH transfers with custom known_hosts are used: curl --version | grep libcurlCheck Version:
curl --version | grep libcurlVerify Fix Applied:
Confirm libcurl version is 8.10.0 or later and test SSH transfers with invalid known_hosts entries📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH connection failures
- SSH host key verification warnings in application logs
Network Indicators:
- SSH connections to unexpected IP addresses or hostnames
- Unusual SSH traffic patterns
SIEM Query:
source="application_logs" AND ("SSH host key" OR "known_hosts") AND ("warning" OR "failure")