CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-2466: TLS certificate check bypass with mbedTLS

Description

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Classification

CVE ID: CVE-2024-2466

Affected Products

Vendor: curl

Product: curl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.83% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://curl.se/docs/CVE-2024-2466.json
https://curl.se/docs/CVE-2024-2466.html
https://hackerone.com/reports/2416725
http://www.openwall.com/lists/oss-security/2024/03/27/4
https://security.netapp.com/advisory/ntap-20240503-0010/
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214120
http://seclists.org/fulldisclosure/2024/Jul/20
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19

Timeline

2025-02-14 00:31:39 UTC
CVE

TLS certificate check bypass with mbedTLS