Vulnerability Details CVE-2025-10148
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.7%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2025-10148
-
cpe:2.3:a:haxx:curl:8.11.0
-
cpe:2.3:a:haxx:curl:8.11.1
-
cpe:2.3:a:haxx:curl:8.12.0
-
cpe:2.3:a:haxx:curl:8.12.1
-
cpe:2.3:a:haxx:curl:8.13.0
-
cpe:2.3:a:haxx:curl:8.14.0
-
cpe:2.3:a:haxx:curl:8.14.1
-
cpe:2.3:a:haxx:curl:8.15.0