CVE-2025-10148 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-10148

CVE-2025-10148

September 12, 2025

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. This affects curl 7.86.0 to and including 8.15.0, fixed in 8.16.0

Affected Packages

https://github.com/curl/curl.git (GITHUB):

Affected version(s)

Fix Suggestion:

Update to version curl-8_16_0

Related Resources (8)

https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa

http://www.openwall.com/lists/oss-security/2025/09/10/3

https://hackerone.com/reports/3330839

http://www.openwall.com/lists/oss-security/2025/09/10/4

https://curl.se/docs/CVE-2025-10148.json

https://curl.se/docs/CVE-2025-10148.html

http://www.openwall.com/lists/oss-security/2025/09/10/2

https://seclists.org/oss-sec/2025/q3/161

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

EPSS

Base Score:

0.10

Products

Solutions

Resources

Company

Compare

Developer Tools