CVEFinder.io

CVE-2025-13034

đŸ”ļ medium
Summary

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate

Description

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`
with the curl tool,curl should check the public key of the server certificate
to verify the peer.

This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.

CVSS Score
5.9
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-01-08
First Seen: 2026-01-17
Last Modified 2026-01-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE IDs (Weakness Types)
CWE-295

🔗 References 2

https://curl.se/docs/CVE-2025-13034.html
Vendor Advisory Patch
https://curl.se/docs/CVE-2025-13034.json
Vendor Advisory

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
haxx curl Affected
≥ 8.8.0 < 8.18.0

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-14017 đŸ”ļ medium 6.3 0.0 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadver... 2026-01-08
CVE-2025-14524 đŸ”ļ medium 5.3 0.0 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s... 2026-01-08
CVE-2025-14819 đŸ”ļ medium 5.3 0.0 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option... 2026-01-08
CVE-2025-15079 đŸ”ļ medium 5.3 0.0 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenl... 2026-01-08
CVE-2025-15224 ℹī¸ low 3.1 0.1 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly s... 2026-01-08
CVE-2025-10966 đŸ”ļ medium 4.3 0.0 curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host... 2025-11-07
These CVEs affect the same products