CVE-2025-15224
📋 TL;DR
Curl incorrectly uses SSH agent authentication for SCP/SFTP transfers even when explicitly configured for public key authentication. This allows attackers with access to the SSH agent to authenticate as the user. Affects curl users performing SSH-based transfers with public key authentication.
💻 Affected Systems
- curl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →⚠️ Risk & Real-World Impact
Worst Case
Attacker with SSH agent access can authenticate as the user and perform unauthorized SCP/SFTP transfers, potentially accessing sensitive files or systems.
Likely Case
Local attackers or malware with SSH agent access can misuse curl's SSH authentication to access remote systems the user is authorized to access.
If Mitigated
With proper SSH agent access controls and network segmentation, impact is limited to authorized users with SSH agent access.
🎯 Exploit Status
Exploitation requires access to the SSH agent socket. Proof of concept available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 8.11.0
Vendor Advisory: https://curl.se/docs/CVE-2025-15224.html
Restart Required: No
Instructions:
1. Update curl to version 8.11.0 or later. 2. For Linux: Use package manager (apt/yum/dnf) to update curl. 3. For Windows: Download latest version from curl.se. 4. For macOS: Use Homebrew or download from curl.se.
🔧 Temporary Workarounds
Disable SSH agent for curl
allSet SSH_AUTH_SOCK environment variable to empty or non-existent path for curl commands
SSH_AUTH_SOCK='' curl -O scp://user@host/path
Use alternative authentication
allUse password authentication instead of public key authentication for SCP/SFTP transfers
curl --user username:password -O scp://host/path
🧯 If You Can't Patch
- Restrict SSH agent access using filesystem permissions on SSH_AUTH_SOCK
- Use network segmentation to limit which systems can be accessed via curl SCP/SFTP
🔍 How to Verify
Check if Vulnerable:
Check curl version: curl --version. If version is between 8.9.0 and 8.10.0 inclusive, system is vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
After update, verify curl version is 8.11.0 or later: curl --version | head -1📡 Detection & Monitoring
Log Indicators:
- Unexpected SCP/SFTP transfers from curl
- SSH authentication failures followed by successful curl transfers
Network Indicators:
- SCP/SFTP transfers from curl without expected public key authentication
SIEM Query:
process.name:"curl" AND network.protocol:"ssh" AND NOT auth.method:"publickey"