CVE-2025-4947: 
cURL vulnerability analysis and mitigation

CVE-2025-4947 affects libcurl versions 8.8.0 to 8.13.0, discovered on May 17, 2025, and publicly disclosed on May 28, 2025. The vulnerability involves libcurl accidentally skipping certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. This flaw specifically affects curl installations using wolfSSL as the TLS backend for QUIC connections (Curl Advisory, OSS Security).

The vulnerability is classified as CWE-295: Improper Certificate Validation with a Medium severity rating (CVSS score: 6.5). The issue occurs specifically when wolfSSL is used as the TLS backend for QUIC connections, affecting both the libcurl library and the curl command line tool. While curl versions before 8.8.0 are not considered vulnerable to this specific flaw, certificate verification did not work correctly in those versions either and was documented as such (Curl Advisory, Wiz).

The vulnerability allows potential man-in-the-middle attacks and makes it possible for attackers to impersonate legitimate servers without detection when connections are made to IP addresses using QUIC. This means the system fails to detect impostor servers, potentially exposing sensitive information or allowing unauthorized access to protected resources (Curl Advisory, Wiz).

Three primary mitigation strategies have been recommended: 1) Upgrade curl to version 8.14.0 which contains the fix, 2) Apply the patch to your local version, or 3) Avoid using HTTP/3 with curl built to use wolfSSL. The fix has been implemented in curl version 8.14.0, released on May 28, 2025 (Curl Advisory).