CVE-2025-10148

low-risk

Published 2025-09-12

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Curl

Affected Vendors

Haxx

References (6)

Vendor Advisory https://curl.se/docs/CVE-2025-10148.html

Vendor Advisory https://curl.se/docs/CVE-2025-10148.json

Issue Tracking https://hackerone.com/reports/3330839

Mailing List http://www.openwall.com/lists/oss-security/2025/09/10/2

Mailing List http://www.openwall.com/lists/oss-security/2025/09/10/3

Mailing List http://www.openwall.com/lists/oss-security/2025/09/10/4

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal