Plateforme
curl
Composant
curl
Corrigé dans
8.17.1
8.16.1
8.15.1
8.14.2
8.14.1
8.13.1
8.12.2
8.12.1
8.11.2
8.11.1
8.10.2
8.10.1
8.9.2
8.9.1
8.8.1
8.7.2
8.7.1
8.6.1
8.5.1
8.4.1
8.3.1
8.2.2
8.2.1
8.1.3
8.1.2
8.1.1
8.0.2
8.0.1
7.88.2
7.88.1
7.87.1
CVE-2025-14819 affects versions 8.11.0 through 8.17.0 of curl. This vulnerability involves a flaw in how libcurl handles TLS trust chains when the CURLSSLOPTNOPARTIALCHAIN option is used with reused handles. An attacker could potentially manipulate curl to accept certificates that it would normally reject, leading to man-in-the-middle attacks. A fix is available in version 8.17.1.
This vulnerability allows an attacker to potentially bypass certificate validation when using curl for TLS connections. Specifically, if an application reuses easy or multi handles and modifies the CURLSSLOPTNOPARTIALCHAIN option, libcurl might inadvertently reuse a cached CA store with reversed partial chain settings. This could result in curl accepting a trust chain that it should have rejected, effectively allowing a man-in-the-middle attacker to intercept and decrypt sensitive data. The impact is particularly severe for applications that rely on curl for secure communication, such as automated scripts, API clients, and web crawlers. Successful exploitation could lead to data breaches, credential theft, and unauthorized access to systems.
CVE-2025-14819 was publicly disclosed on 2026-01-08. As of this date, there are no known public proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low, but the potential impact warrants prompt mitigation.
Applications and systems that rely on curl for secure communication, particularly those using reused easy or multi handles and manipulating the CURLSSLOPTNOPARTIALCHAIN option, are at risk. This includes automated scripts, API clients, and web crawlers. Systems with older, unpatched curl installations are especially vulnerable.
• linux / server:
ps aux | grep curl• generic web:
curl -v https://example.com 2>&1 | grep -i certificatedisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 14%)
The primary mitigation for CVE-2025-14819 is to upgrade to curl version 8.17.1 or later. If upgrading is not immediately feasible, consider implementing stricter certificate validation policies within your applications. This might involve pinning specific certificates or using more robust certificate verification libraries. Additionally, review your code for any instances where CURLSSLOPTNOPARTIALCHAIN is used in conjunction with reused handles and ensure that the CA store is properly refreshed. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it's a library-level issue. After upgrading, confirm by running curl with TLS connections and verifying that certificate validation behaves as expected.
Mettez à jour la bibliothèque curl vers une version ultérieure à la 8.17.0. Cela empêchera la réutilisation incorrecte du cache du magasin CA lors de la modification de l'option `CURLSSLOPT_NO_PARTIALCHAIN`, ce qui pourrait entraîner l'acceptation de chaînes de confiance indésirables.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14819 is a vulnerability in curl versions 8.11.0–8.17.0 where incorrect handling of CURLSSLOPTNOPARTIALCHAIN can lead to acceptance of invalid trust chains, potentially enabling man-in-the-middle attacks.
If you are using curl versions 8.11.0 through 8.17.0 and utilize reused handles with the CURLSSLOPTNOPARTIALCHAIN option, you are potentially affected by this vulnerability.
Upgrade to curl version 8.17.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement stricter certificate validation policies.
As of the public disclosure date, there are no known active exploits for CVE-2025-14819.
Refer to the official curl security advisory for detailed information and updates regarding CVE-2025-14819: [https://curl.se/security/advisories](https://curl.se/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.