CVE-2025-5399: 
cURL vulnerability analysis and mitigation

A vulnerability in libcurl's WebSocket code (CVE-2025-5399) was discovered that allows a malicious server to trigger an endless busy-loop condition. The vulnerability affects curl versions 8.13.0 through 8.14.0, and was discovered on May 30, 2025. This low-severity issue is classified as CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') (Curl Advisory, OSS Security).

The vulnerability occurs in libcurl's WebSocket implementation when processing certain crafted packets from a malicious server. The issue specifically relates to the auto-pong functionality and can be avoided if the 'auto-pong' feature is disabled using the CURLWS_NOAUTOPONG option. The flaw does not affect the curl command line tool and is not considered a C language-specific mistake (Curl Advisory).

When exploited, this vulnerability can cause a denial of service (DoS) condition in libcurl-using applications. The affected application becomes trapped in an endless busy-loop, with no way to escape or exit other than forcibly terminating the thread or process (Curl Advisory).

Three mitigation options are available: 1) Upgrade curl to version 8.14.1 which contains the fix, 2) Apply the patch to the local version (fixed in commit d1145df24de8f80e6b16), or 3) Avoid using WebSocket functionality. Additionally, users can disable the auto-pong feature using the CURLWS_NOAUTOPONG option as a temporary workaround (Curl Advisory).