Executive Summary

CVE-2025-11563 is a path traversal vulnerability affecting the wcurl command line tool shipped with certain versions of curl and wcurl. It occurs because URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving output files outside of the current directory without the user explicitly requesting this behavior.

This flaw only affects the wcurl tool and does not impact other curl components. The vulnerability was introduced in specific commits and affects wcurl versions from 2024.12.08 to 2025.09.27 and curl versions 8.14.0 through 8.16.0. It was fixed in later versions of wcurl and curl.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause wcurl to save output files outside the intended directory without explicit user consent, potentially leading to unauthorized file creation or modification in unexpected locations.

Although the vulnerability does not cause file overwrites if curl is version 7.83 or higher, it still poses a moderate severity risk by allowing path traversal that could be exploited to place files in sensitive directories.

No active exploits are currently known, but the issue could be leveraged by an attacker to manipulate file storage locations, which might affect system integrity or security.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the wcurl command line tool saving output files outside the current directory when URLs contain percent-encoded slashes (`/` or `\\`). Detection involves checking usage of vulnerable wcurl versions and monitoring for unexpected file creations outside intended directories.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, first verify the wcurl version installed. Vulnerable versions are from 2024.12.08 to 2025.09.27 (Resource 1) or up to 2025.11.04 (Resource 2).'}, {'type': 'paragraph', 'content': 'Suggested commands to check the wcurl version:'}, {'type': 'list_item', 'content': 'wcurl --version'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or unexpected file writes, monitor file system activity for files created outside the current directory after running wcurl with URLs containing percent-encoded slashes.'}, {'type': 'paragraph', 'content': 'Example command to search for percent-encoded slashes in logs or command history:'}, {'type': 'list_item', 'content': "grep -r '%2F\\|%5C' /var/log/"}, {'type': 'paragraph', 'content': 'Additionally, review scripts or automation invoking wcurl with URLs that might contain encoded slashes.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for CVE-2025-11563 include:

• Upgrade wcurl to version 2025.11.04 or later (shipped with curl 8.17.0 or later), or preferably to wcurl 2025.11.09 (shipped with curl 8.18.0) to apply the official fix.
• If upgrading is not possible immediately, apply the available patches locally to fix the vulnerability.
• Explicitly specify output filenames when using wcurl by using the -o, -O, or --output options to avoid unintended file writes.
• Disable percent-decoding of output filenames by using the --no-decode-filename option to prevent path traversal via encoded slashes.

Useful 0 Not Useful 0