Fluid Attacks Database

Description

A flaw was found in curl. When configured to use public key pinning with QUIC connections and GnuTLS, and with standard certificate verification explicitly disabled, curl could bypass the intended public key check. This oversight allows a malicious server to impersonate a legitimate one, potentially leading to unauthorized access or information disclosure due to a failure in verifying the server's identity.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	curl	=8.14.1-2 \|\| =8.14.1-2+deb13u1 \|\| =8.14.1-2+deb13u2 \|\| =8.14.1-2+deb13u2~bpo13+1 \|\| >=0 <8.14.1-2+deb13u3	8.14.1-2+deb13u3
debian 14	curl	=8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0~rc1-1+exp1 \|\| >=0 <8.18.0~rc2-1	8.18.0~rc2-1
rpm rhel6	curl	-	-
rpm rhel10	curl	-	-
rpm rhel7	curl	-	-
rpm rhel8	curl	-	-
rpm rhel9	curl	-	-
rpm rhel10	rust	-	-
rpm rhel9	rust	-	-
rpm rhel10	s390utils	-	-

1-10 of 14

Aliases

1. CVE-2025-130342. NVD-2025-130343. OSV-DEBIAN-2025-130344. OSV-2025-130345. SECURITY-TRACKER-CVE-2025-13034

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.