CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://curl.se/docs/CVE-2025-10148.html	Vendor Advisory Patch
https://curl.se/docs/CVE-2025-10148.json	Vendor Advisory
https://hackerone.com/reports/3330839	Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/2	Mailing List Third Party Advisory Patch
http://www.openwall.com/lists/oss-security/2025/09/10/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/09/10/4	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-09-12 06:15

Updated : 2026-01-20 14:55

NVD link : CVE-2025-10148

Mitre link : CVE-2025-10148

CVE.ORG link : CVE-2025-10148

JSON object : View

Products Affected

haxx

curl

CWE

NVD-CWE-noinfo

{"id": "CVE-2025-10148", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-09-12T06:15:40.020", "references": [{"url": "https://curl.se/docs/CVE-2025-10148.html", "tags": ["Vendor Advisory", "Patch"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2025-10148.json", "tags": ["Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://hackerone.com/reports/3330839", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/10/2", "tags": ["Mailing List", "Third Party Advisory", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/10/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/10/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "curl's websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy."}], "lastModified": "2026-01-20T14:55:47.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2D88104-00EB-4B8B-88D4-9FCCEF41FA6B", "versionEndExcluding": "8.16.0", "versionStartIncluding": "8.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9"}