CVE-2025-5399 Information
Description
Due to a mistake in libcurl’s WebSocket code a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.
There is no other way for the application to escape or exit this loop other than killing the thread/process.
This might be used to DoS libcurl-using application.
Reference
cve@curl.se http://www.openwall.com/lists/oss-security/2025/06/04/2 https://curl.se/docs/CVE-2025-5399.html https://curl.se/docs/CVE-2025-5399.json https://hackerone.com/reports/3168039 Due to a mistake in libcurl’s WebSocket code a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.
There is no other way for the application to escape or exit this loop other than killing the thread/process.
This might be used to DoS libcurl-using application.
Share on: