CVE-2025-5399
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-07

Last updated on: 2025-07-30

Assigner: curl

Description
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-07
Last Modified
2025-07-30
Generated
2026-05-07
AI Q&A
2025-06-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
haxx curl From 8.13.0 (inc) to 8.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-5399 is a vulnerability in libcurl's WebSocket implementation where a malicious WebSocket server can send a specially crafted packet that causes libcurl to enter an endless busy-loop with no exit condition. This loop traps the application thread or process, and the only way to recover is to kill the affected thread or process. The issue was introduced in libcurl versions 8.13.0 and 8.14.0 and fixed in version 8.14.1. It is classified as a low severity vulnerability and is related to CWE-835 (Loop with Unreachable Exit Condition). [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can be exploited by a malicious WebSocket server to cause a denial-of-service (DoS) condition in applications using libcurl for WebSocket communication. The affected application can become trapped in an endless busy-loop, making it unresponsive and requiring the termination of the thread or process to recover. This can disrupt service availability and impact the reliability of applications relying on libcurl's WebSocket functionality. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as libcurl entering an endless busy-loop when communicating with a malicious WebSocket server sending a specially crafted packet. Detection involves monitoring applications using libcurl for WebSocket connections for symptoms such as high CPU usage or unresponsive behavior indicating a busy-loop. Since the curl command line tool is not affected, direct testing with curl commands is not applicable. There are no specific detection commands provided, but monitoring process CPU usage and network traffic to WebSocket servers for unusual patterns may help identify exploitation attempts. [1, 2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading libcurl to version 8.14.1 or later, where the vulnerability is fixed. Alternatively, apply the patch locally if upgrading is not immediately possible. Another mitigation is to avoid using WebSocket functionality in libcurl or disable the 'auto-pong' feature by using the CURLWS_NOAUTOPONG option, which prevents the vulnerability from being triggered. If an application is affected and trapped in the busy-loop, the only recovery is to kill the affected thread or process. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart