CVE-2025-10966

PUBLISHED

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

Security Metrics

MEDIUM
CVSS Score:4.3/ 10

Available CVSS Versions:

CVSS v3.1(Primary)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Timeline

Published
November 7, 2025
Reserved
September 25, 2025
Last Updated
November 10, 2025

Assigner

Organization
curl
CNA
curl

Problem Types

CWE-322 Key Exchange without Entity Authentication

Credits

Stanislav Fort (Aisle Research)

Role: finder

Daniel Stenberg

Role: remediation developer

Affected Products

VendorProductVersionStatus
curlcurl8.16.0affected
curlcurl8.15.0
curlcurl8.14.1
curlcurl8.14.0
curlcurl8.13.0
curlcurl8.12.1
curlcurl8.12.0
curlcurl8.11.1
curlcurl8.11.0
curlcurl8.10.1
curlcurl8.10.0
curlcurl8.9.1
curlcurl8.9.0
curlcurl8.8.0
curlcurl8.7.1
curlcurl8.7.0
curlcurl8.6.0
curlcurl8.5.0
curlcurl8.4.0
curlcurl8.3.0
curlcurl8.2.1
curlcurl8.2.0
curlcurl8.1.2
curlcurl8.1.1
curlcurl8.1.0
curlcurl8.0.1
curlcurl8.0.0
curlcurl7.88.1
curlcurl7.88.0
curlcurl7.87.0
curlcurl7.86.0
curlcurl7.85.0
curlcurl7.84.0
curlcurl7.83.1
curlcurl7.83.0
curlcurl7.82.0
curlcurl7.81.0
curlcurl7.80.0
curlcurl7.79.1
curlcurl7.79.0
curlcurl7.78.0
curlcurl7.77.0
curlcurl7.76.1
curlcurl7.76.0
curlcurl7.75.0
curlcurl7.74.0
curlcurl7.73.0
curlcurl7.72.0
curlcurl7.71.1
curlcurl7.71.0
curlcurl7.70.0
curlcurl7.69.1
curlcurl7.69.0

References