CVE-2025-10966

Discovered by AISLEPUBLISHEDCWE-322 Key Exchange without Entity Authentication

Description

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

CVSS Base Scores

CVSS v3.1(Primary)

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Version	Status
curl	curl	8.16.0	affected
curl	curl	8.15.0	—
curl	curl	8.14.1	—
curl	curl	8.14.0	—
curl	curl	8.13.0	—
curl	curl	8.12.1	—
curl	curl	8.12.0	—
curl	curl	8.11.1	—
curl	curl	8.11.0	—
curl	curl	8.10.1	—
curl	curl	8.10.0	—
curl	curl	8.9.1	—
curl	curl	8.9.0	—
curl	curl	8.8.0	—
curl	curl	8.7.1	—
curl	curl	8.7.0	—
curl	curl	8.6.0	—
curl	curl	8.5.0	—
curl	curl	8.4.0	—
curl	curl	8.3.0	—
curl	curl	8.2.1	—
curl	curl	8.2.0	—
curl	curl	8.1.2	—
curl	curl	8.1.1	—
curl	curl	8.1.0	—
curl	curl	8.0.1	—
curl	curl	8.0.0	—
curl	curl	7.88.1	—
curl	curl	7.88.0	—
curl	curl	7.87.0	—
curl	curl	7.86.0	—
curl	curl	7.85.0	—
curl	curl	7.84.0	—
curl	curl	7.83.1	—
curl	curl	7.83.0	—
curl	curl	7.82.0	—
curl	curl	7.81.0	—
curl	curl	7.80.0	—
curl	curl	7.79.1	—
curl	curl	7.79.0	—
curl	curl	7.78.0	—
curl	curl	7.77.0	—
curl	curl	7.76.1	—
curl	curl	7.76.0	—
curl	curl	7.75.0	—
curl	curl	7.74.0	—
curl	curl	7.73.0	—
curl	curl	7.72.0	—
curl	curl	7.71.1	—
curl	curl	7.71.0	—
curl	curl	7.70.0	—
curl	curl	7.69.1	—
curl	curl	7.69.0	—

Credits

Stanislav Fort (Aisle Research)(finder)
Daniel Stenberg(remediation developer)

Description

CVSS Base Scores

Affected Products

Credits

References