CVE-2025-5399 – A denial-of-service vulnerability in libcurl's ... (How to Fix)

Q: What is the severity of CVE-2025-5399?

CVE-2025-5399 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in libcurl's WebSocket implementation allows a malicious server to send a crafted packet that traps libcurl in an endless busy-loop. This affects any application using vulnerable libcurl versions with WebSocket functionality. The only recovery is terminating the affected thread or process.

📋 TL;DR

A denial-of-service vulnerability in libcurl's WebSocket implementation allows a malicious server to send a crafted packet that traps libcurl in an endless busy-loop. This affects any application using vulnerable libcurl versions with WebSocket functionality. The only recovery is terminating the affected thread or process.

💻 Affected Systems

Products:

libcurl
curl
applications using libcurl with WebSocket support

Versions: libcurl 8.9.0 to 8.10.0

Operating Systems: All platforms where libcurl with WebSocket support is used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds with WebSocket support enabled. Applications must be using libcurl's WebSocket functionality to be vulnerable.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial-of-service for libcurl-using applications, potentially affecting critical services until manual intervention terminates processes.

🟠

Likely Case

Service disruption for applications using libcurl WebSocket connections to untrusted servers, requiring process restart.

🟢

If Mitigated

Limited impact if applications only connect to trusted servers or have monitoring that detects hung processes.

🌐 Internet-Facing: HIGH - Applications connecting to external WebSocket servers are directly exposed to malicious payloads.

🏢 Internal Only: MEDIUM - Internal servers could be compromised or misconfigured to exploit this, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a malicious WebSocket server or man-in-the-middle position. The vulnerability is straightforward to trigger once an attacker controls the server endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 8.10.1

Vendor Advisory: https://curl.se/docs/CVE-2025-5399.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 8.10.1 or later. 2. Rebuild applications linking against libcurl. 3. Restart affected services using the updated library.

🔧 Temporary Workarounds

Disable WebSocket connections

all

Temporarily disable WebSocket functionality in applications until patching is complete.

Configure applications to not use libcurl WebSocket APIs
Block outbound WebSocket connections at firewall if feasible

Implement connection timeouts

all

Add application-level timeouts to WebSocket connections to limit impact if loop occurs.

Set CURLOPT_TIMEOUT and CURLOPT_CONNECTTIMEOUT options in curl calls

🧯 If You Can't Patch

Restrict WebSocket connections to trusted servers only using allowlists
Implement monitoring to detect hung processes and automatically restart them

🔍 How to Verify

Check if Vulnerable:

Check libcurl version: curl --version | head -1. If version is between 8.9.0 and 8.10.0 inclusive, and WebSocket support is enabled, the system is vulnerable.

Check Version:

curl --version | head -1

Verify Fix Applied:

Verify libcurl version is 8.10.1 or later: curl --version | head -1. Confirm version number starts with 8.10.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Processes stuck at 100% CPU usage for extended periods
WebSocket connection timeouts or hangs in application logs
Abnormal process terminations of curl/libcurl applications

Network Indicators:

Unusually long-lived WebSocket connections with minimal data transfer
Connections to suspicious or unknown WebSocket servers

SIEM Query:

Processes with name containing 'curl' AND CPU usage > 90% for > 5 minutes

📊 Metadata

CVE ID: CVE-2025-5399

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: June 7, 2025

Last Updated: July 30, 2025

🔗 References

https://curl.se/docs/CVE-2025-5399.html Vendor Advisory
https://curl.se/docs/CVE-2025-5399.json Vendor Advisory
https://hackerone.com/reports/3168039 Exploit,Issue Tracking,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/06/04/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5399, you might also want to check these: