CVEFinder.io

CVE-2025-15079

đŸ”ļ medium
Summary

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-01-08
First Seen: 2026-01-17
Last Modified 2026-01-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)
CWE-297

🔗 References 4

https://curl.se/docs/CVE-2025-15079.html
Vendor Advisory Patch
https://curl.se/docs/CVE-2025-15079.json
Vendor Advisory
https://hackerone.com/reports/3477116
Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/6
Mailing List Third Party Advisory Patch

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
haxx curl Affected
≥ 7.58.0 < 8.18.0

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-13034 đŸ”ļ medium 5.9 0.0 When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the pu... 2026-01-08
CVE-2025-14017 đŸ”ļ medium 6.3 0.0 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadver... 2026-01-08
CVE-2025-14524 đŸ”ļ medium 5.3 0.0 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s... 2026-01-08
CVE-2025-14819 đŸ”ļ medium 5.3 0.0 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option... 2026-01-08
CVE-2025-15224 ℹī¸ low 3.1 0.1 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly s... 2026-01-08
CVE-2025-10966 đŸ”ļ medium 4.3 0.0 curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host... 2025-11-07
These CVEs affect the same products