Fluid Attacks Database

Description

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	curl	=8.14.1-2 \|\| =8.14.1-2+deb13u1 \|\| =8.14.1-2+deb13u2 \|\| =8.14.1-2+deb13u2~bpo13+1 \|\| =8.14.1-2+exp1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1	-
debian 12	curl	=7.88.1-10 \|\| =7.88.1-10+deb12u1 \|\| =7.88.1-10+deb12u11 \|\| =7.88.1-10+deb12u12 \|\| =7.88.1-10+deb12u13 \|\| =7.88.1-10+deb12u14 \|\| =7.88.1-10+deb12u1~bpo11+1 \|\| =7.88.1-10+deb12u2 \|\| =7.88.1-10+deb12u3 \|\| =7.88.1-10+deb12u3~bpo11+1 \|\| =7.88.1-10+deb12u4 \|\| =7.88.1-10+deb12u5 \|\| =7.88.1-10+deb12u5~bpo11+1 \|\| =7.88.1-10+deb12u6 \|\| =7.88.1-10+deb12u6~bpo11+1 \|\| =7.88.1-10+deb12u7 \|\| =7.88.1-10+deb12u8 \|\| =7.88.1-10+deb12u9 \|\| =7.88.1-11 \|\| =8.0.1-1~exp1 \|\| =8.10.0-1 \|\| =8.10.0-2 \|\| =8.10.1-1 \|\| =8.10.1-1~bpo12+1 \|\| =8.10.1-2 \|\| =8.11.0-1 \|\| =8.11.1-1 \|\| =8.11.1-1~bpo12+1 \|\| =8.12.0+git20250209.89ed161+ds-1 \|\| =8.12.0+git20250209.89ed161+ds-1~bpo12+1 \|\| =8.12.1-1 \|\| =8.12.1-2 \|\| =8.12.1-2~bpo12+1 \|\| =8.12.1-3 \|\| =8.12.1-3~bpo12+1 \|\| =8.13.0-1 \|\| =8.13.0-1+exp1 \|\| =8.13.0-2 \|\| =8.13.0-2+exp1 \|\| =8.13.0-3 \|\| =8.13.0-4 \|\| =8.13.0-4+exp1 \|\| =8.13.0-5 \|\| =8.13.0-5+exp1 \|\| =8.13.0-5~bpo12+1 \|\| =8.13.0~rc-1~exp1 \|\| =8.13.0~rc-1~exp2 \|\| =8.13.0~rc2-1 \|\| =8.13.0~rc2-2 \|\| =8.13.0~rc3-1 \|\| =8.13.0~rc3-1+exp1 \|\| =8.14.0-1 \|\| =8.14.0-1+exp1 \|\| =8.14.0~rc1-1+exp1 \|\| =8.14.0~rc2-1+exp1 \|\| =8.14.0~rc3-1+exp1 \|\| =8.14.1-1 \|\| =8.14.1-1~bpo12+1 \|\| =8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.14.1-2~bpo12+1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.2.1-1 \|\| =8.2.1-2 \|\| =8.2.1-2~bpo12+1 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1 \|\| =8.3.0-1 \|\| =8.3.0-2 \|\| =8.3.0-2~bpo12+1 \|\| =8.3.0-2~exp1 \|\| =8.3.0-3 \|\| =8.4.0-1 \|\| =8.4.0-2 \|\| =8.4.0-2~bpo12+1 \|\| =8.5.0-1 \|\| =8.5.0-1+exp1 \|\| =8.5.0-2 \|\| =8.5.0-2+exp1 \|\| =8.5.0-2~bpo12+1 \|\| =8.6.0-1 \|\| =8.6.0-1.1 \|\| =8.6.0-2 \|\| =8.6.0-3 \|\| =8.6.0-3.1 \|\| =8.6.0-3.1~exp1 \|\| =8.6.0-3.1~exp2 \|\| =8.6.0-3.2 \|\| =8.6.0-4 \|\| =8.7.1-1 \|\| =8.7.1-1+exp1 \|\| =8.7.1-2 \|\| =8.7.1-3 \|\| =8.7.1-4 \|\| =8.7.1-5 \|\| =8.7.1-5+exp1 \|\| =8.7.1-5~bpo12+1 \|\| =8.8.0-1 \|\| =8.8.0-1+exp1 \|\| =8.8.0-1+exp2 \|\| =8.8.0-1~bpo12+1 \|\| =8.8.0-2 \|\| =8.8.0-3 \|\| =8.8.0-4 \|\| =8.9.0-1 \|\| =8.9.0-2 \|\| =8.9.0-3 \|\| =8.9.1-1 \|\| =8.9.1-2 \|\| =8.9.1-2~bpo12+1	-
debian 14	curl	=8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| >=0 <8.18.0~rc3-1	8.18.0~rc3-1
rpm rhel10	snphost	-	-
rpm rhel9	snphost	-	-
rpm rhel10	rust	-	-
rpm rhel10	curl	-	-
rpm rhel9	rust	-	-
rpm rhel10	s390utils	-	-
rpm rhel10	trustee-guest-components	-	-

1-10 of 12

Aliases

1. CVE-2025-148192. NVD-2025-148193. OSV-DEBIAN-2025-148194. OSV-2025-148195. OSV-ALPINE-2025-148196. SECURITY-TRACKER-CVE-2025-148197. SECURITY-CVE-2025-14819

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.