CNNVD-202509-1821 Information

CNNVD ID

CNNVD-202509-1821

Related CVE

CVE-2025-10148

• CNNVD Published: 2025-09-12

Description (Chinese)

curl是cURL开源的一款用于从服务器传输数据或向服务器传输数据的工具。 curl存在安全漏洞，该漏洞源于websocket代码未按照规范为每个新出站帧更新32位掩码模式，而是使用固定掩码，可能导致恶意服务器诱导流量被代理服务器误认为真实HTTP流量，从而污染其缓存。

Description (English)

Curl is a tool for the transfer of data from or to the server of the curL open source. Curl has a security loophole, which stems from the fact that the websocket code does not update the 32-bit mask model for each new outing frame in accordance with the norm, but rather uses a fixed mask, which could lead to the malicious server inducing traffic that the proxy has misperceived as real HTTP flows, thereby contaminating its cache.

Hazard Level

Critical

Vulnerability Type

其他

Affected Vendor

cURL

Published

2025-09-12

Last Modified

2026-02-24

References

https://curl.se/docs/CVE-2025-10148.json https://hackerone.com/reports/3330839 https://curl.se/docs/CVE-2025-10148.html https://vigilance.fr/vulnerability/curl-information-disclosure-via-Predictable-WebSocket-Mask-48186

Patch

https://github.com/curl/curl/releases