CVE-2025-15079
Medium
Low
Medium
High
Critical
5.3
CVSS Score
Vulnerability Description
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* known_hosts file.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
R
Scope
U
Confidentiality
H
Integrity
N
Availability
N
Known Affected Software
66 configuration(s) from 1 vendor(s)
curl
Version:
7.80.0
CPE:
cpe:2.3:a:haxx:curl:7.80.0:*:*:*:*:*:*:*
curl
Version:
8.2.0
CPE:
cpe:2.3:a:haxx:curl:8.2.0:*:*:*:*:*:*:*
curl
Version:
8.7.0
CPE:
cpe:2.3:a:haxx:curl:8.7.0:*:*:*:*:*:*:*
curl
Version:
8.2.1
CPE:
cpe:2.3:a:haxx:curl:8.2.1:*:*:*:*:*:*:*
curl
Version:
8.0.0
CPE:
cpe:2.3:a:haxx:curl:8.0.0:*:*:*:*:*:*:*
curl
Version:
7.64.0
CPE:
cpe:2.3:a:haxx:curl:7.64.0:*:*:*:*:*:*:*
curl
Version:
8.14.1
CPE:
cpe:2.3:a:haxx:curl:8.14.1:*:*:*:*:*:*:*
curl
Version:
7.65.0
CPE:
cpe:2.3:a:haxx:curl:7.65.0:*:*:*:*:*:*:*
curl
Version:
7.63.0
CPE:
cpe:2.3:a:haxx:curl:7.63.0:*:*:*:*:*:*:*
curl
Version:
7.88.1
CPE:
cpe:2.3:a:haxx:curl:7.88.1:*:*:*:*:*:*:*
curl
Version:
7.79.1
CPE:
cpe:2.3:a:haxx:curl:7.79.1:*:*:*:*:*:*:*
curl
Version:
7.77.0
CPE:
cpe:2.3:a:haxx:curl:7.77.0:*:*:*:*:*:*:*
curl
Version:
8.0.1
CPE:
cpe:2.3:a:haxx:curl:8.0.1:*:*:*:*:*:*:*
curl
Version:
7.65.3
CPE:
cpe:2.3:a:haxx:curl:7.65.3:*:*:*:*:*:*:*
curl
Version:
7.84.0
CPE:
cpe:2.3:a:haxx:curl:7.84.0:*:*:*:*:*:*:*
curl
Version:
7.82.0
CPE:
cpe:2.3:a:haxx:curl:7.82.0:*:*:*:*:*:*:*
curl
Version:
8.4.0
CPE:
cpe:2.3:a:haxx:curl:8.4.0:*:*:*:*:*:*:*
curl
Version:
8.5.0
CPE:
cpe:2.3:a:haxx:curl:8.5.0:*:*:*:*:*:*:*
curl
Version:
7.74.0
CPE:
cpe:2.3:a:haxx:curl:7.74.0:*:*:*:*:*:*:*
curl
Version:
8.10.0
CPE:
cpe:2.3:a:haxx:curl:8.10.0:*:*:*:*:*:*:*
curl
Version:
7.75.0
CPE:
cpe:2.3:a:haxx:curl:7.75.0:*:*:*:*:*:*:*
curl
Version:
7.69.1
CPE:
cpe:2.3:a:haxx:curl:7.69.1:*:*:*:*:*:*:*
curl
Version:
8.1.1
CPE:
cpe:2.3:a:haxx:curl:8.1.1:*:*:*:*:*:*:*
curl
Version:
7.59.0
CPE:
cpe:2.3:a:haxx:curl:7.59.0:*:*:*:*:*:*:*
curl
Version:
7.70.0
CPE:
cpe:2.3:a:haxx:curl:7.70.0:*:*:*:*:*:*:*
curl
Version:
7.87.0
CPE:
cpe:2.3:a:haxx:curl:7.87.0:*:*:*:*:*:*:*
curl
Version:
7.69.0
CPE:
cpe:2.3:a:haxx:curl:7.69.0:*:*:*:*:*:*:*
curl
Version:
7.61.1
CPE:
cpe:2.3:a:haxx:curl:7.61.1:*:*:*:*:*:*:*
curl
Version:
8.12.1
CPE:
cpe:2.3:a:haxx:curl:8.12.1:*:*:*:*:*:*:*
curl
Version:
7.68.0
CPE:
cpe:2.3:a:haxx:curl:7.68.0:*:*:*:*:*:*:*
curl
Version:
7.62.0
CPE:
cpe:2.3:a:haxx:curl:7.62.0:*:*:*:*:*:*:*
curl
Version:
7.76.1
CPE:
cpe:2.3:a:haxx:curl:7.76.1:*:*:*:*:*:*:*
curl
Version:
7.66.0
CPE:
cpe:2.3:a:haxx:curl:7.66.0:*:*:*:*:*:*:*
curl
Version:
7.72.0
CPE:
cpe:2.3:a:haxx:curl:7.72.0:*:*:*:*:*:*:*
curl
Version:
8.1.0
CPE:
cpe:2.3:a:haxx:curl:8.1.0:*:*:*:*:*:*:*
curl
Version:
7.81.0
CPE:
cpe:2.3:a:haxx:curl:7.81.0:*:*:*:*:*:*:*
curl
Version:
7.85.0
CPE:
cpe:2.3:a:haxx:curl:7.85.0:*:*:*:*:*:*:*
curl
Version:
8.12.0
CPE:
cpe:2.3:a:haxx:curl:8.12.0:*:*:*:*:*:*:*
curl
Version:
7.67.0
CPE:
cpe:2.3:a:haxx:curl:7.67.0:*:*:*:*:*:*:*
curl
Version:
7.88.0
CPE:
cpe:2.3:a:haxx:curl:7.88.0:*:*:*:*:*:*:*
curl
Version:
7.65.1
CPE:
cpe:2.3:a:haxx:curl:7.65.1:*:*:*:*:*:*:*
curl
Version:
8.8.0
CPE:
cpe:2.3:a:haxx:curl:8.8.0:*:*:*:*:*:*:*
curl
Version:
7.79.0
CPE:
cpe:2.3:a:haxx:curl:7.79.0:*:*:*:*:*:*:*
curl
Version:
8.9.0
CPE:
cpe:2.3:a:haxx:curl:8.9.0:*:*:*:*:*:*:*
curl
Version:
8.7.1
CPE:
cpe:2.3:a:haxx:curl:8.7.1:*:*:*:*:*:*:*
curl
Version:
7.73.0
CPE:
cpe:2.3:a:haxx:curl:7.73.0:*:*:*:*:*:*:*
curl
Version:
7.60.0
CPE:
cpe:2.3:a:haxx:curl:7.60.0:*:*:*:*:*:*:*
curl
Version:
8.6.0
CPE:
cpe:2.3:a:haxx:curl:8.6.0:*:*:*:*:*:*:*
curl
Version:
8.1.2
CPE:
cpe:2.3:a:haxx:curl:8.1.2:*:*:*:*:*:*:*
curl
Version:
7.76.0
CPE:
cpe:2.3:a:haxx:curl:7.76.0:*:*:*:*:*:*:*
curl
Version:
8.9.1
CPE:
cpe:2.3:a:haxx:curl:8.9.1:*:*:*:*:*:*:*
curl
Version:
8.14.0
CPE:
cpe:2.3:a:haxx:curl:8.14.0:*:*:*:*:*:*:*
curl
Version:
7.64.1
CPE:
cpe:2.3:a:haxx:curl:7.64.1:*:*:*:*:*:*:*
curl
Version:
8.11.1
CPE:
cpe:2.3:a:haxx:curl:8.11.1:*:*:*:*:*:*:*
curl
Version:
7.86.0
CPE:
cpe:2.3:a:haxx:curl:7.86.0:*:*:*:*:*:*:*
curl
Version:
8.11.0
CPE:
cpe:2.3:a:haxx:curl:8.11.0:*:*:*:*:*:*:*
curl
Version:
7.65.2
CPE:
cpe:2.3:a:haxx:curl:7.65.2:*:*:*:*:*:*:*
curl
Version:
7.58.0
CPE:
cpe:2.3:a:haxx:curl:7.58.0:*:*:*:*:*:*:*
curl
Version:
8.13.0
CPE:
cpe:2.3:a:haxx:curl:8.13.0:*:*:*:*:*:*:*
curl
Version:
7.78.0
CPE:
cpe:2.3:a:haxx:curl:7.78.0:*:*:*:*:*:*:*
curl
Version:
7.71.1
CPE:
cpe:2.3:a:haxx:curl:7.71.1:*:*:*:*:*:*:*
curl
Version:
7.71.0
CPE:
cpe:2.3:a:haxx:curl:7.71.0:*:*:*:*:*:*:*
curl
Version:
8.10.1
CPE:
cpe:2.3:a:haxx:curl:8.10.1:*:*:*:*:*:*:*
curl
Version:
7.83.0
CPE:
cpe:2.3:a:haxx:curl:7.83.0:*:*:*:*:*:*:*
curl
Version:
7.83.1
CPE:
cpe:2.3:a:haxx:curl:7.83.1:*:*:*:*:*:*:*
curl
Version:
7.61.0
CPE:
cpe:2.3:a:haxx:curl:7.61.0:*:*:*:*:*:*:*
This vulnerability affects 66 software configuration(s). Ensure you patch all affected systems.
Oracle
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
Severity
Critical
Released
Apr 21, 2026
Restart Required
Security Update
Canonical (Ubuntu)
USN-8062-2
USN-8062-2: curl vulnerabilities
Severity
Unknown
Released
Mar 03, 2026
Security Update
Canonical (Ubuntu)
USN-8062-1
USN-8062-1: curl vulnerabilities
Severity
Unknown
Released
Feb 25, 2026
Security Update
References & Resources
-
https://curl.se/docs/CVE-2025-15079.html2499f714-1537-4658-8207-48ae4bb9eae9 Vendor Advisory Patch
-
https://curl.se/docs/CVE-2025-15079.json2499f714-1537-4658-8207-48ae4bb9eae9 Vendor Advisory
-
https://hackerone.com/reports/34771162499f714-1537-4658-8207-48ae4bb9eae9 Exploit Issue Tracking Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2026/01/07/6af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory Patch
Severity Details
5.3
out of 10.0
Medium
Weakness Type (CWE)
CWE-297
Improper Validation of Certificate with Host Mismatch
- Description
- The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Variant
Key Information
- Published Date
- January 08, 2026
