CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4947: QUIC certificate check skip with wolfSSL

Description

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Classification

CVE ID: CVE-2025-4947

Problem Types

CWE-295 Improper Certificate Validation

Affected Products

Vendor: curl

Product: curl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.95% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4947
https://curl.se/docs/CVE-2025-4947.json
https://curl.se/docs/CVE-2025-4947.html
https://hackerone.com/reports/3150884

Timeline

2025-05-28 07:40:17 UTC
CVE

QUIC certificate check skip with wolfSSL