CVE-2025-14017

🔶 medium

Summary

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

CVSS Score

6.3

Medium

EPSS Score

0.0

Exploit Probability

Published Date

2026-01-08

First Seen: 2026-01-17

Last Modified 2026-01-27

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

🔗 References 3

https://curl.se/docs/CVE-2025-14017.html

Vendor Advisory

https://curl.se/docs/CVE-2025-14017.json

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/01/07/3

Mailing List Third Party Advisory

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
haxx	curl	Affected	≥ 7.17.0 < 8.18.0

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2025-13034	🔶 medium	5.9	0.0	When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the pu...	2026-01-08
CVE-2025-14524	🔶 medium	5.3	0.0	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s...	2026-01-08
CVE-2025-14819	🔶 medium	5.3	0.0	When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option...	2026-01-08
CVE-2025-15079	🔶 medium	5.3	0.0	When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenl...	2026-01-08
CVE-2025-15224	ℹ️ low	3.1	0.1	When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly s...	2026-01-08
CVE-2025-10966	🔶 medium	4.3	0.0	curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host...	2025-11-07

These CVEs affect the same products