CVE-2025-5025: 
cURL vulnerability analysis and mitigation

CVE-2025-5025 affects libcurl's certificate pinning functionality when using QUIC for HTTP/3 connections with the wolfSSL backend. The vulnerability was discovered on May 19, 2025, and publicly disclosed on May 28, 2025. The issue affects curl versions 8.5.0 through 8.13.0, where certificate pinning checks are not performed during QUIC/HTTP/3 connections when using wolfSSL as the TLS backend (Curl Advisory, OSS Security).

The vulnerability stems from an omission in the certificate public key pinning verification process for HTTPS transfers. While libcurl supports pinning of server certificate public keys, this security check is bypassed specifically when using QUIC for HTTP/3 connections with the wolfSSL backend. The documentation incorrectly indicates full wolfSSL support without specifying the limitation for QUIC and HTTP/3. The issue has been classified as CWE-295: Improper Certificate Validation with a Medium severity rating, receiving a CVSS 3.1 base score of 4.8 (Curl Advisory, NVD).

The vulnerability could allow users to unknowingly connect to impostor servers when using certificate pinning with QUIC/HTTP/3 connections. Since the pinning check appears to succeed even when connecting to potentially malicious servers, users might believe their connections are secure when they are actually vulnerable to man-in-the-middle attacks (Curl Advisory, Wiz).

Three mitigation options are available: 1) Upgrade to curl version 8.14.0 or later which contains the fix, 2) Apply the patch to your local version, or 3) Avoid using HTTP/3 or certificate pinning with curl when built using wolfSSL. The vulnerability was fixed in curl 8.14.0, released on May 28, 2025 (Curl Advisory).