FKIE_CVE-2025-13034

Vulnerability from fkie_nvd - Published: 2026-01-08 10:15 - Updated: 2026-01-20 14:54
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
References
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2025-13034.htmlVendor Advisory, Patch
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2025-13034.jsonVendor Advisory
Impacted products
Vendor Product Version
haxx curl *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6152C75-3784-4E17-A770-4585D1FD80C4",
              "versionEndExcluding": "8.18.0",
              "versionStartIncluding": "8.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification."
    },
    {
      "lang": "es",
      "value": "Al usar la opci\u00f3n \u0027CURLOPT_PINNEDPUBLICKEY\u0027 con libcurl o \u0027--pinnedpubkey\u0027 con la herramienta curl, curl deber\u00eda verificar la clave p\u00fablica del certificado del servidor para verificar el par.\n\nEsta verificaci\u00f3n se omiti\u00f3 en una determinada condici\u00f3n que luego har\u00eda que curl permitiera la conexi\u00f3n sin realizar la verificaci\u00f3n adecuada, sin notar as\u00ed un posible impostor. Para omitir esta verificaci\u00f3n, la conexi\u00f3n ten\u00eda que hacerse con QUIC con ngtcp2 compilado para usar GnuTLS y el usuario ten\u00eda que deshabilitar expl\u00edcitamente la verificaci\u00f3n est\u00e1ndar del certificado."
    }
  ],
  "id": "CVE-2025-13034",
  "lastModified": "2026-01-20T14:54:02.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T10:15:45.407",
  "references": [
    {
      "source": "2499f714-1537-4658-8207-48ae4bb9eae9",
      "tags": [
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://curl.se/docs/CVE-2025-13034.html"
    },
    {
      "source": "2499f714-1537-4658-8207-48ae4bb9eae9",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://curl.se/docs/CVE-2025-13034.json"
    }
  ],
  "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.