CVE-2025-5399: 
MySQL vulnerability analysis and mitigation

A vulnerability (CVE-2025-5399) was discovered in libcurl's WebSocket code affecting versions 8.13.0 through 8.14.0. The vulnerability, discovered on May 30, 2025, allows a malicious server to trigger an endless busy-loop condition in libcurl-using applications. This issue is classified as CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') (Curl Advisory, OSS Security).

The vulnerability occurs in libcurl's WebSocket implementation when processing specially crafted packets from a malicious server. The issue specifically relates to the auto-pong functionality and can be avoided if the 'auto-pong' feature is disabled using the CURLWS_NOAUTOPONG option. The flaw does not affect the curl command line tool and is not considered a C language-specific mistake. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Wiz, NVD).

When exploited, this vulnerability can cause a denial of service (DoS) condition in libcurl-using applications. The affected application becomes trapped in an endless busy-loop, with no way to escape or exit other than forcibly terminating the thread or process (Curl Advisory, Wiz).

Three primary mitigation options are available: 1) Upgrade curl to version 8.14.1 which contains the fix, 2) Apply the patch (fixed in commit d1145df24de8f80e6b16), or 3) Avoid using WebSocket functionality. Additionally, users can disable the auto-pong feature using the CURLWS_NOAUTOPONG option as a temporary workaround (Curl Advisory, Wiz).