CVE-2025-11563

Опубликовано: 25 фев. 2026

Источник: nvd

CVSS3: 4.6

EPSS Низкий

Описание

URLs containing percent-encoded slashes (/ or \) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it.

This flaw only affects the wcurl command line tool.

Ссылки

https://curl.se/docs/CVE-2025-11563.html
Patch
Vendor Advisory
https://curl.se/docs/CVE-2025-11563.json
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/04/1
Mailing List
Third Party Advisory
https://lists.debian.org/debian-release/2025/11/msg00504.html
Mailing List
Third Party Advisory
Patch

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:curl:wcurl:*:*:*:*:*:*:*:*

Версия от 2024-12-08 (включая) до 2025-11-09 (исключая)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Версия от 8.14.0 (включая) до 8.18.0 (исключая)

EPSS

Процентиль: 4%

0.00017

Низкий

4.6 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

CVE-2025-11563

CVSS3: 4.6

ubuntu

около 1 месяца назад

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVE-2025-11563

CVSS3: 6.5

redhat

около 1 месяца назад

CVE-2025-11563

msrc

около 1 месяца назад

wcurl path traversal with percent-encoded slashes

CVE-2025-11563

CVSS3: 4.6

debian

около 1 месяца назад

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl i ...

SUSE-SU-2025:4300-1

suse-cvrf

4 месяца назад

Security update for curl

EPSS

Процентиль: 4%

0.00017

Низкий

4.6 Medium

CVSS3

Дефекты

CWE-22