CVE-2025-14017

low-risk

Published 2026-01-08

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

LOCAL / HIGH complexity

Affected Products (1)

Curl

Affected Vendors

Haxx

References (3)

Vendor Advisory https://curl.se/docs/CVE-2025-14017.html

Vendor Advisory https://curl.se/docs/CVE-2025-14017.json

Mailing List http://www.openwall.com/lists/oss-security/2026/01/07/3

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal