CVE-2025-14819
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-08

Last updated on: 2026-01-20

Assigner: curl

Description
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14819
EUVD
EUVD-2026-1566
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
haxx curl From 7.87.0 (inc) to 8.18.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in libcurl's OpenSSL backend occurs when TLS transfers reuse easy or multi handles and the CURLSSLOPT_NO_PARTIALCHAIN option is toggled. Libcurl caches the CA store in memory for performance, but due to this flaw, it may reuse a cached CA store with the partial chain option reversed. This causes libcurl to accept a trust chain that it normally would reject, contrary to user expectations. It affects libcurl versions 7.87.0 through 8.17.0 and only applies if CA caching is enabled. The issue is classified as improper certificate validation (CWE-295) with low severity. [1, 2]

Impact Analysis

The vulnerability can cause libcurl to accept TLS certificate chains that it should reject, potentially allowing connections to servers with incomplete or improperly validated certificate chains. This could undermine the security of TLS connections by trusting certificates that do not fully meet validation criteria, possibly exposing users to man-in-the-middle attacks or other security risks. However, libcurl still performs certificate verification and returns errors if verification fails, so the impact is limited to acceptance of partial trust chains that would otherwise be rejected. [1, 2]

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability. The issue relates to libcurl's internal handling of TLS certificate validation when reusing handles with the CURLSSLOPT_NO_PARTIALCHAIN option and CA caching enabled. Detection would likely require auditing libcurl versions and configurations rather than network commands.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade libcurl to version 8.18.0 or later where the issue is fixed. Alternatively, avoid using the CURLSSLOPT_NO_PARTIALCHAIN option and disable CA caching by setting CURLOPT_CA_CACHE_TIMEOUT to zero. These steps prevent libcurl from reusing a cached CA store with reversed partial chain options, thus maintaining proper certificate validation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart