CVE-2025-10966

critical

Description

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

References

https://hackerone.com/reports/3355218

https://curl.se/docs/CVE-2025-10966.json

https://curl.se/docs/CVE-2025-10966.html

http://www.openwall.com/lists/oss-security/2025/11/05/2

Details

Source: Mitre, NVD

Published: 2025-11-07

Updated: 2025-11-07

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00016

Detections

Analytics