CVE-2025-5025 – libcurl wolfSSL QUIC Certificate Pinning Bypass

CVE ID : CVE-2025-5025

Published : May 28, 2025, 7:15 a.m. | 26 minutes ago

Description : libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…