← Zuruck zu CVEs
CVE-2025-13034
MEDIUM5.9
Beschreibung
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
CVE Details
CVSS v3.1 Bewertung5.9
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht1/8/2026
Zuletzt geandert1/20/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
haxx:curl
Schwachen (CWE)
CWE-295
Referenzen
https://curl.se/docs/CVE-2025-13034.html(2499f714-1537-4658-8207-48ae4bb9eae9)
https://curl.se/docs/CVE-2025-13034.json(2499f714-1537-4658-8207-48ae4bb9eae9)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.