CVE-2025-10148 (GCVE-0-2025-10148)
Vulnerability from cvelistv5
Published
2025-09-12 05:10
Modified
2025-09-12 17:17
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
Summary
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
References
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2025-10148.html
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2025-10148.json
2499f714-1537-4658-8207-48ae4bb9eae9https://hackerone.com/reports/3330839
Impacted products
Vendor Product Version
curl curl Version: 8.15.0    8.15.0
Version: 8.14.1    8.14.1
Version: 8.14.0    8.14.0
Version: 8.13.0    8.13.0
Version: 8.12.1    8.12.1
Version: 8.12.0    8.12.0
Version: 8.11.1    8.11.1
Version: 8.11.0    8.11.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-10148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-12T17:16:46.486840Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-12T17:17:12.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "curl",
          "vendor": "curl",
          "versions": [
            {
              "lessThanOrEqual": "8.15.0",
              "status": "affected",
              "version": "8.15.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.14.1",
              "status": "affected",
              "version": "8.14.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.14.0",
              "status": "affected",
              "version": "8.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.13.0",
              "status": "affected",
              "version": "8.13.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.12.1",
              "status": "affected",
              "version": "8.12.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.12.0",
              "status": "affected",
              "version": "8.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.11.1",
              "status": "affected",
              "version": "8.11.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.11.0",
              "status": "affected",
              "version": "8.11.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Calvin Ruocco (Vector Informatik GmbH)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Daniel Stenberg"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "curl\u0027s websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-12T05:10:37.469Z",
        "orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
        "shortName": "curl"
      },
      "references": [
        {
          "name": "json",
          "url": "https://curl.se/docs/CVE-2025-10148.json"
        },
        {
          "name": "www",
          "url": "https://curl.se/docs/CVE-2025-10148.html"
        },
        {
          "name": "issue",
          "url": "https://hackerone.com/reports/3330839"
        }
      ],
      "title": "predictable WebSocket mask"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
    "assignerShortName": "curl",
    "cveId": "CVE-2025-10148",
    "datePublished": "2025-09-12T05:10:37.469Z",
    "dateReserved": "2025-09-09T03:45:41.908Z",
    "dateUpdated": "2025-09-12T17:17:12.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10148\",\"sourceIdentifier\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"published\":\"2025-09-12T06:15:40.020\",\"lastModified\":\"2025-09-12T18:15:33.233\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"curl\u0027s websocket code did not update the 32 bit mask pattern for each new\\n outgoing frame as the specification says. Instead it used a fixed mask that\\npersisted and was used throughout the entire connection.\\n\\nA predictable mask pattern allows for a malicious server to induce traffic\\nbetween the two communicating parties that could be interpreted by an involved\\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\\nand thereby poison its cache. That cached poisoned content could then be\\nserved to all users of that proxy.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://curl.se/docs/CVE-2025-10148.html\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://curl.se/docs/CVE-2025-10148.json\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://hackerone.com/reports/3330839\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10148\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-12T17:16:46.486840Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-12T17:17:07.462Z\"}}], \"cna\": {\"title\": \"predictable WebSocket mask\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Calvin Ruocco (Vector Informatik GmbH)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Daniel Stenberg\"}], \"affected\": [{\"vendor\": \"curl\", \"product\": \"curl\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.15.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.15.0\"}, {\"status\": \"affected\", \"version\": \"8.14.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.14.1\"}, {\"status\": \"affected\", \"version\": \"8.14.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.14.0\"}, {\"status\": \"affected\", \"version\": \"8.13.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.13.0\"}, {\"status\": \"affected\", \"version\": \"8.12.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.12.1\"}, {\"status\": \"affected\", \"version\": \"8.12.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.12.0\"}, {\"status\": \"affected\", \"version\": \"8.11.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.11.1\"}, {\"status\": \"affected\", \"version\": \"8.11.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.11.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://curl.se/docs/CVE-2025-10148.json\", \"name\": \"json\"}, {\"url\": \"https://curl.se/docs/CVE-2025-10148.html\", \"name\": \"www\"}, {\"url\": \"https://hackerone.com/reports/3330839\", \"name\": \"issue\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"curl\u0027s websocket code did not update the 32 bit mask pattern for each new\\n outgoing frame as the specification says. Instead it used a fixed mask that\\npersisted and was used throughout the entire connection.\\n\\nA predictable mask pattern allows for a malicious server to induce traffic\\nbetween the two communicating parties that could be interpreted by an involved\\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\\nand thereby poison its cache. That cached poisoned content could then be\\nserved to all users of that proxy.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-340 Generation of Predictable Numbers or Identifiers\"}]}], \"providerMetadata\": {\"orgId\": \"2499f714-1537-4658-8207-48ae4bb9eae9\", \"shortName\": \"curl\", \"dateUpdated\": \"2025-09-12T05:10:37.469Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10148\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-12T17:17:12.815Z\", \"dateReserved\": \"2025-09-09T03:45:41.908Z\", \"assignerOrgId\": \"2499f714-1537-4658-8207-48ae4bb9eae9\", \"datePublished\": \"2025-09-12T05:10:37.469Z\", \"assignerShortName\": \"curl\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.