CVE-2025-5025 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Certificate verification bypass
Description	libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2887	curl	8.13.0-2		Medium	Not affected

References
https://curl.se/docs/CVE-2025-5025.html https://hackerone.com/reports/3153497

Notes
We're not affected as we use OpenSSL as TLS backend.