CVEFinder.io

CVE-2025-14819

đŸ”ļ medium
Summary

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-01-08
First Seen: 2026-01-17
Last Modified 2026-01-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)
CWE-295

🔗 References 3

https://curl.se/docs/CVE-2025-14819.html
Vendor Advisory Mitigation Patch
https://curl.se/docs/CVE-2025-14819.json
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/5
Mailing List Third Party Advisory Mitigation Patch

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
haxx curl Affected
≥ 7.87.0 < 8.18.0

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-13034 đŸ”ļ medium 5.9 0.0 When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the pu... 2026-01-08
CVE-2025-14017 đŸ”ļ medium 6.3 0.0 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadver... 2026-01-08
CVE-2025-14524 đŸ”ļ medium 5.3 0.0 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s... 2026-01-08
CVE-2025-15079 đŸ”ļ medium 5.3 0.0 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenl... 2026-01-08
CVE-2025-15224 ℹī¸ low 3.1 0.1 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly s... 2026-01-08
CVE-2025-10966 đŸ”ļ medium 4.3 0.0 curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host... 2025-11-07
These CVEs affect the same products