CVE-2025-15079

Опубликовано: 08 янв. 2026

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Ссылки

https://curl.se/docs/CVE-2025-15079.html
Vendor Advisory
Patch
https://curl.se/docs/CVE-2025-15079.json
Vendor Advisory
https://hackerone.com/reports/3477116
Exploit
Issue Tracking
Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/6
Mailing List
Third Party Advisory
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Версия от 7.58.0 (включая) до 8.18.0 (исключая)

EPSS

Процентиль: 10%

0.00035

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-297

Связанные уязвимости

CVE-2025-15079

CVSS3: 5.3

ubuntu

3 месяца назад

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

CVE-2025-15079

msrc

3 месяца назад

libssh global known_hosts override

CVE-2025-15079

CVSS3: 5.3

debian

3 месяца назад

When doing SSH-based transfers using either SCP or SFTP, and setting t ...

GHSA-7q9p-cx8r-rh2q

CVSS3: 5.3

github

3 месяца назад

BDU:2026-03453

CVSS3: 5.3

fstec

3 месяца назад

Уязвимость библиотеки libcurl программного средства для взаимодействия с серверами cURL, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации

EPSS

Процентиль: 10%

0.00035

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-297