Описание
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| curl | fixed | 8.17.0-2 | package | |
| curl | fixed | 8.14.1-2+deb13u2 | trixie | package |
| curl | not-affected | bookworm | package | |
| curl | not-affected | bullseye | package |
Примечания
Introduced with: https://github.com/curl/wcurl/commit/e01d578582a23695ee3cec08a2bff29d61a0bfb4 (v2024.12.08)
Fixed by: https://github.com/curl/wcurl/commit/524f7e733237cd26553dfd76adda521d3150d852 (v2025.11.04)
Introduced with: https://github.com/curl/curl/commit/23bed347b38922779382599f8b72c4d762add7bd (curl-8_14_0)
Fixed by: https://github.com/curl/curl/commit/fb0c014e30e5f4de7aa0d566c52c836a6423da29 (rc-8_17_0-3)
Included in Debian since 8.8.0-2
https://curl.se/docs/CVE-2025-11563.html
Followup for incomplete fix: https://github.com/curl/wcurl/pull/75
EPSS
Связанные уязвимости
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
EPSS