Alpine: libcurl, multiple curl packages: security update to 8.12.0-r0

high Tenable Cloud Security Plugin ID 423827

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the
password used for the first host to the followed-to host under certain circumstances. This flaw only
manifests itself if the netrc file has a `default` entry that omits both login and password. A rare
circumstance. (CVE-2025-0167)

- libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel
after having completed a threaded name resolve. (CVE-2025-0665)

- When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the
`CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow
would make libcurl perform a buffer overflow. (CVE-2025-0725)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-0167

https://security.alpinelinux.org/vuln/CVE-2025-0665

https://security.alpinelinux.org/vuln/CVE-2025-0725

Plugin Details

Severity: High

ID: 423827

Version: Revision 1.11

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.62

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-0665

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-0725

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/12/2023

Reference Information

CVE: CVE-2025-0167, CVE-2025-0665, CVE-2025-0725

IAVA: 2025-A-0085-S