---

CVE-2025-5025 - log back

CVE-2025-5025 created at 29 May 2025 19:09:08
Severity	+ Medium
Remote	+ Remote
Type	+ Certificate verification bypass
Description	+ libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. + + Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. + + Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
References	+ https://curl.se/docs/CVE-2025-5025.html + https://hackerone.com/reports/3153497
Notes	+ We're not affected as we use OpenSSL as TLS backend.