Platform
curl
Component
curl
Fixed in
8.17.1
8.16.1
8.15.1
8.14.2
8.14.1
8.13.1
8.12.2
8.12.1
8.11.2
8.11.1
8.10.2
8.10.1
8.9.2
8.9.1
8.8.1
CVE-2025-13034 is a security vulnerability affecting versions 8.11.0 through 8.17.0 of curl. This flaw allows a malicious server to impersonate a legitimate server when using the CURLOPT_PINNEDPUBLICKEY option or the --pinnedpubkey command-line argument with QUIC connections and ngtcp2 built with GnuTLS. The vulnerability bypasses certificate verification, potentially leading to man-in-the-middle attacks and data compromise. A fix is available in version 8.17.1.
This vulnerability arises from a flaw in curl's handling of certificate pinning when using QUIC connections with ngtcp2 and GnuTLS. Specifically, the check to verify the server's public key against the pinned key is skipped under certain conditions. An attacker can exploit this by presenting a forged certificate that bypasses the intended security measures. This allows them to intercept and potentially modify data transmitted between the client and the server, leading to sensitive information exposure, session hijacking, or even the injection of malicious code. The impact is particularly severe because certificate pinning is often used to enhance security by preventing connections to unauthorized servers.
This vulnerability has been publicly disclosed and is documented by CISA. While no active exploitation campaigns have been confirmed as of this writing, the availability of public information makes it a potential target. The vulnerability's impact is amplified by the increasing adoption of QUIC and the reliance on certificate pinning for enhanced security. The EPSS score is pending evaluation, but the potential for man-in-the-middle attacks suggests a medium to high probability of exploitation.
Exploit Status
EPSS
0.01% (1% percentile)
The primary mitigation for CVE-2025-13034 is to upgrade to curl version 8.17.1 or later. If upgrading is not immediately feasible, consider disabling QUIC connections or temporarily removing the --pinnedpubkey option until the upgrade can be performed. Using a Web Application Firewall (WAF) or proxy server to inspect and filter QUIC traffic can provide an additional layer of defense, although this is not a substitute for patching. Monitor network traffic for suspicious certificate chains or unexpected server responses. After upgrading, confirm the fix by attempting a connection with pinned certificates and verifying that the server certificate is correctly validated.
Update the version of curl to a version later than 8.17.0. This will fix the vulnerability related to certificate verification when using QUIC with GnuTLS. Ensure that the new version includes the fix for CVE-2025-13034.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13034 is a vulnerability in curl versions 8.11.0–8.17.0 that allows a server impersonation attack when using pinned certificates with QUIC connections and ngtcp2/GnuTLS, bypassing certificate verification.
You are affected if you are using curl versions 8.11.0 through 8.17.0 and utilize the CURLOPT_PINNEDPUBLICKEY option or --pinnedpubkey with QUIC connections and ngtcp2/GnuTLS.
Upgrade to curl version 8.17.1 or later to resolve this vulnerability. As a temporary workaround, disable QUIC connections or remove the --pinnedpubkey option.
No active exploitation campaigns have been confirmed, but the public disclosure makes it a potential target.
Refer to the curl security advisory for detailed information: [https://curl.se/security/advisories](https://curl.se/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.