CVE-2025-11563
Discovered by AISLEPUBLISHEDCWE-35 Path Traversal
Description
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
CVSS Base Scores
CVSS v3.1(Primary)
4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| curl | curl | 8.17.0 | affected |
| curl | curl | 8.16.0 | — |
| curl | curl | 8.15.0 | — |
| curl | curl | 8.14.1 | — |
| curl | curl | 8.14.0 | — |
Credits
- Stanislav Fort (Aisle Research)(finder)
- Samuel Henrique(remediation developer)
- Sergio Durigan Junior(remediation developer)
- Xi Ruoyao(remediation developer)