5.3

CVE-2025-10148

predictable WebSocket mask

curl's websocket code did not update the 32 bit mask pattern for each new
 outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaxxCurl Version >= 8.11.0 < 8.16.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.47% 0.367
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://curl.se/docs/CVE-2025-10148.json
Vendor Advisory
https://curl.se/docs/CVE-2025-10148.html
Patch
Vendor Advisory
https://hackerone.com/reports/3330839
Third Party Advisory
Issue Tracking
http://www.openwall.com/lists/oss-security/2025/09/10/2
Patch
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2025/09/10/3
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2025/09/10/4
Third Party Advisory
Mailing List