CVE-2025-10148: 
cURL vulnerability analysis and mitigation

CVE-2025-10148 is a vulnerability in curl's WebSocket implementation discovered in September 2025. The vulnerability affects curl versions 8.11.0 through 8.15.0, where the WebSocket code failed to update the 32-bit mask pattern for each new outgoing frame as required by the specification, instead using a fixed mask throughout the entire connection (Curl Advisory).

The vulnerability stems from curl's WebSocket implementation not following RFC 6455 specifications regarding mask pattern updates. Instead of generating a new mask for each outgoing frame, it reused a fixed mask pattern throughout the connection. This issue is classified as CWE-340: Generation of Predictable Numbers or Identifiers. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The predictable mask pattern enables a malicious server to induce traffic between communicating parties that could be interpreted by an intermediary proxy (configured or transparent) as genuine HTTP traffic. This could lead to cache poisoning, where the compromised content would be served to all users of that proxy. The impact is particularly significant when using clear text HTTP/WebSocket (ws://) rather than secure WebSocket (wss://) connections (Curl Advisory).

The vulnerability has been fixed in curl version 8.16.0. Users are recommended to either upgrade to curl 8.16.0 or later, apply the patch to their local version, or avoid using ws:// protocols. The fix was implemented through a commit that ensures proper mask pattern updates for each frame (Curl Advisory).