Login Sign Up

CVE-2025-4947

6.5 MEDIUM

📋 TL;DR

libcurl versions 8.9.0 through 8.10.0 fail to verify TLS certificates for QUIC connections when URLs contain IP addresses instead of hostnames. This allows man-in-the-middle attackers to intercept and manipulate traffic. Any application using vulnerable libcurl versions with QUIC connections to IP addresses is affected.

💻 Affected Systems

Products:
  • libcurl
  • curl
  • applications using libcurl
Versions: libcurl 8.9.0 through 8.10.0
Operating Systems: All platforms where libcurl with QUIC support is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects QUIC connections (HTTP/3) to URLs with IP addresses, not hostnames. Requires CURLOPT_SSL_VERIFYPEER to be enabled (default).

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full interception and manipulation of sensitive data transmitted via QUIC to IP addresses, including credentials, session tokens, and API keys.

🟠

Likely Case

Selective interception of unencrypted traffic when attackers position themselves between clients and servers using IP addresses.

🟢

If Mitigated

Limited impact if certificate pinning, network segmentation, or other TLS validation controls are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available in HackerOne report. Attack requires man-in-the-middle position and QUIC connections to IP addresses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 8.11.0

Vendor Advisory: https://curl.se/docs/CVE-2025-4947.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 8.11.0 or later. 2. Recompile applications using libcurl. 3. Restart affected services.

🔧 Temporary Workarounds

Disable QUIC/HTTP3

all

Force libcurl to use HTTP/1.1 or HTTP/2 instead of QUIC

curl --http1.1 https://example.com
curl --http2 https://example.com

Use hostnames instead of IPs

all

Always use domain names in URLs instead of IP addresses

🧯 If You Can't Patch

  • Implement certificate pinning in applications
  • Use network segmentation to prevent man-in-the-middle attacks

🔍 How to Verify

Check if Vulnerable:

Check libcurl version: curl --version | head -1. If version is between 8.9.0 and 8.10.0, test QUIC connection to IP address with invalid certificate.

Check Version:

curl --version | head -1

Verify Fix Applied:

After update, test QUIC connection to IP address with invalid certificate - should fail with certificate verification error.

📡 Detection & Monitoring

Log Indicators:

  • QUIC connection attempts to IP addresses
  • Certificate verification failures for QUIC connections

Network Indicators:

  • QUIC traffic to IP addresses without proper TLS handshake validation

SIEM Query:

source="libcurl" AND (protocol="QUIC" OR protocol="HTTP/3") AND dest_ip IS NOT NULL

📊 Metadata

CVE ID: CVE-2025-4947
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-295
EPSS Score: 0.04% exploit probability (10.1th percentile)
Published: May 28, 2025
Last Updated: June 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4947, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)