CVE-2025-10148
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-11-18

Assigner: curl

Description
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-11-18
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10148
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
curl curl 8.11.0
curl curl 8.16.0
curl curl 8.15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in curl's websocket code is that it did not update the 32-bit mask pattern for each new outgoing frame as required by the specification. Instead, it used a fixed mask that persisted throughout the entire connection. This predictable mask pattern can be exploited by a malicious server to induce traffic that a proxy might interpret as genuine HTTP traffic, leading to cache poisoning.

Impact Analysis

This vulnerability can allow a malicious server to poison the cache of a proxy by sending traffic that appears as legitimate HTTP content. The poisoned cache content could then be served to all users of that proxy, potentially exposing them to malicious or incorrect data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart