Platform
curl
Component
curl
Opgelost in
8.17.1
8.16.1
8.15.1
8.14.2
8.14.1
8.13.1
8.12.2
8.12.1
8.11.2
8.11.1
8.10.2
8.10.1
8.9.2
8.9.1
8.8.1
CVE-2025-13034 is a security vulnerability affecting versions 8.11.0 through 8.17.0 of curl. This flaw allows a malicious server to impersonate a legitimate server when using the CURLOPT_PINNEDPUBLICKEY option or the --pinnedpubkey command-line argument with QUIC connections and ngtcp2 built with GnuTLS. The vulnerability bypasses certificate verification, potentially leading to man-in-the-middle attacks and data compromise. A fix is available in version 8.17.1.
This vulnerability arises from a flaw in curl's handling of certificate pinning when using QUIC connections with ngtcp2 and GnuTLS. Specifically, the check to verify the server's public key against the pinned key is skipped under certain conditions. An attacker can exploit this by presenting a forged certificate that bypasses the intended security measures. This allows them to intercept and potentially modify data transmitted between the client and the server, leading to sensitive information exposure, session hijacking, or even the injection of malicious code. The impact is particularly severe because certificate pinning is often used to enhance security by preventing connections to unauthorized servers.
This vulnerability has been publicly disclosed and is documented by CISA. While no active exploitation campaigns have been confirmed as of this writing, the availability of public information makes it a potential target. The vulnerability's impact is amplified by the increasing adoption of QUIC and the reliance on certificate pinning for enhanced security. The EPSS score is pending evaluation, but the potential for man-in-the-middle attacks suggests a medium to high probability of exploitation.
Organizations heavily reliant on curl for data transfer and API communication, particularly those utilizing QUIC connections and certificate pinning for enhanced security, are at increased risk. This includes developers integrating curl into custom applications and systems administrators managing servers that use curl for outbound connections. Shared hosting environments where multiple users share the same curl installation are also vulnerable.
• linux / server:
ps aux | grep curl
journalctl -u curl | grep -i error• generic web:
curl -v https://example.com --pinnedpubkey <keyfile> 2>&1 | grep -i 'Peer certificate'disclosure
Exploit Status
EPSS
0.01% (1% percentiel)
The primary mitigation for CVE-2025-13034 is to upgrade to curl version 8.17.1 or later. If upgrading is not immediately feasible, consider disabling QUIC connections or temporarily removing the --pinnedpubkey option until the upgrade can be performed. Using a Web Application Firewall (WAF) or proxy server to inspect and filter QUIC traffic can provide an additional layer of defense, although this is not a substitute for patching. Monitor network traffic for suspicious certificate chains or unexpected server responses. After upgrading, confirm the fix by attempting a connection with pinned certificates and verifying that the server certificate is correctly validated.
Werk de versie van curl bij naar een versie later dan 8.17.0. Dit zal de kwetsbaarheid met betrekking tot de certificaatverificatie bij het gebruik van QUIC met GnuTLS oplossen. Zorg ervoor dat u verifieert dat de nieuwe versie de correctie voor CVE-2025-13034 bevat.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-13034 is a vulnerability in curl versions 8.11.0–8.17.0 that allows a server impersonation attack when using pinned certificates with QUIC connections and ngtcp2/GnuTLS, bypassing certificate verification.
You are affected if you are using curl versions 8.11.0 through 8.17.0 and utilize the CURLOPT_PINNEDPUBLICKEY option or --pinnedpubkey with QUIC connections and ngtcp2/GnuTLS.
Upgrade to curl version 8.17.1 or later to resolve this vulnerability. As a temporary workaround, disable QUIC connections or remove the --pinnedpubkey option.
No active exploitation campaigns have been confirmed, but the public disclosure makes it a potential target.
Refer to the curl security advisory for detailed information: [https://curl.se/security/advisories](https://curl.se/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.