NIXPKGS-2026-0031
GitHub issue
published on
Permalink
CVE-2025-14017
6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package wcurl
- @LeSuisse removed package curlie
- @LeSuisse removed package curlpp
- @LeSuisse removed package phpExtensions.curl
- @LeSuisse removed package curl-impersonate
- @LeSuisse removed package curlWithGnuTls
- @LeSuisse removed package curlMinimal
- @LeSuisse removed package guile-curl
- @LeSuisse removed package curlftpfs
- @LeSuisse removed package curlHTTP3
- @LeSuisse removed package grpcurl
- @LeSuisse added package curlMinimal
- @LeSuisse removed package curl-impersonate-ff
- @LeSuisse removed package ocamlPackages.curly
- @LeSuisse removed package ocamlPackages.ocurl
- @LeSuisse removed package tclPackages.tclcurl
- @LeSuisse removed package haskellPackages.curl
- @LeSuisse removed package luaPackages.lua-curl
- @LeSuisse removed package perlPackages.WWWCurl
- @LeSuisse removed package php81Extensions.curl
- @LeSuisse removed package php82Extensions.curl
- @LeSuisse removed package php83Extensions.curl
- @LeSuisse removed package haskellPackages.curlhs
- @LeSuisse removed package php84Extensions.curl
- @LeSuisse removed package lua51Packages.lua-curl
- @LeSuisse removed package lua52Packages.lua-curl
- @LeSuisse removed package lua53Packages.lua-curl
- @LeSuisse removed package lua54Packages.lua-curl
- @LeSuisse removed package curl-impersonate-chrome
- @LeSuisse removed package luajitPackages.lua-curl
- @LeSuisse removed package perl538Packages.WWWCurl
- @LeSuisse removed package perl540Packages.WWWCurl
- @LeSuisse removed package haskellPackages.hxt-curl
- @LeSuisse removed package python312Packages.pycurl
- @LeSuisse removed package python313Packages.pycurl
- @LeSuisse removed package python312Packages.curlify
- @LeSuisse removed package python313Packages.curlify
- @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages.libcurl
- @LeSuisse removed package haskellPackages.recurly-client
- @LeSuisse removed package haskellPackages.curly-expander
- @LeSuisse removed package haskellPackages.curl-cookiejar
- @LeSuisse removed package haskellPackages.download-curl
- @LeSuisse removed package python313Packages.curl-cffi
- @LeSuisse removed package python312Packages.curl-cffi
- @LeSuisse removed package typstPackages.curli_0_1_0
-
@LeSuisse
removed
2 maintainers
- @Scrumplex
- @lovek323
-
@LeSuisse
added
14 maintainers
- @GGG-KILLER
- @deliciouslytyped
- @Ma27
- @CrazedProgrammer
- @knl
- @ethancedwards8
- @piotrkwiecinski
- @aanderse
- @talyz
- @chuangzhu
- @fgaz
- @bennofs
- @D4ndellion
- @sternenseemann
-
@LeSuisse
removed
14 maintainers
- @GGG-KILLER
- @deliciouslytyped
- @Ma27
- @CrazedProgrammer
- @knl
- @ethancedwards8
- @piotrkwiecinski
- @aanderse
- @talyz
- @chuangzhu
- @fgaz
- @bennofs
- @D4ndellion
- @sternenseemann
- @LeSuisse accepted
- @LeSuisse published on GitHub
broken TLS options for threaded LDAPS
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
References
Affected products
curl
- =<7.19.5
- =<7.44.0
- =<7.84.0
- =<7.19.7
- =<7.43.0
- =<7.65.1
- =<7.29.0
- =<8.13.0
- =<8.9.0
- =<7.23.1
- =<7.23.0
- =<7.21.6
- =<8.7.1
- =<7.21.2
- =<7.83.0
- =<7.85.0
- =<8.6.0
- =<7.49.1
- =<7.28.1
- =<8.0.0
- =<7.66.0
- =<7.64.1
- =<7.64.0
- =<7.39.0
- =<7.69.0
- =<8.4.0
- =<7.18.1
- =<7.35.0
- =<7.19.6
- =<7.21.7
- =<8.1.2
- =<7.25.0
- =<7.22.0
- =<7.53.1
- =<8.17.0
- =<7.76.1
- =<7.76.0
- =<7.21.0
- =<7.77.0
- =<7.55.1
- =<7.40.0
- =<7.19.2
- =<8.2.0
- =<7.48.0
- =<7.45.0
- =<7.80.0
- =<8.11.0
- =<7.82.0
- =<7.88.1
- =<7.24.0
- =<7.78.0
- =<7.83.1
- =<8.7.0
- =<7.31.0
- =<7.52.1
- =<7.54.1
- =<8.12.0
- =<7.46.0
- =<7.32.0
- =<7.56.0
- =<7.47.0
- =<7.62.0
- =<8.10.0
- =<7.52.0
- =<8.2.1
- =<7.74.0
- =<7.37.0
- =<7.41.0
- =<7.20.0
- =<7.81.0
- =<7.50.1
- =<7.21.5
- =<7.72.0
- =<7.61.1
- =<7.30.0
- =<7.65.3
- =<7.47.1
- =<7.37.1
- =<7.65.2
- =<7.50.2
- =<7.60.0
- =<7.88.0
- =<7.28.0
- =<7.18.0
- =<7.36.0
- =<7.20.1
- =<7.61.0
- =<7.21.1
- =<8.1.1
- =<7.42.0
- =<7.19.0
- =<7.73.0
- =<7.56.1
- =<7.69.1
- =<7.21.3
- =<7.65.0
- =<7.19.3
- =<7.50.0
- =<7.50.3
- =<8.11.1
- =<7.67.0
- =<7.17.0
- =<7.79.1
- =<7.58.0
- =<7.26.0
- =<7.17.1
- =<7.70.0
- =<8.3.0
- =<8.12.1
- =<7.79.0
- =<7.55.0
- =<8.15.0
- =<7.71.0
- =<7.87.0
- =<7.53.0
- =<7.33.0
- =<7.18.2
- =<7.75.0
- =<7.19.1
- =<8.9.1
- =<8.14.0
- =<8.1.0
- =<7.51.0
- =<7.19.4
- =<7.21.4
- =<8.16.0
- =<7.49.0
- =<7.86.0
- =<7.68.0
- =<7.59.0
- =<8.10.1
- =<8.5.0
- =<7.71.1
- =<8.14.1
- =<7.27.0
- =<8.8.0
- =<7.57.0
- =<7.54.0
- =<8.0.1
- =<7.38.0
- =<7.34.0
- =<7.63.0
- =<7.42.1
Matching in nixpkgs
pkgs.curl
Command line tool for transferring files with URL syntax
pkgs.curlFull
Command line tool for transferring files with URL syntax
pkgs.curlMinimal
Command line tool for transferring files with URL syntax
Package maintainers
Ignored maintainers (2)
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@lovek323 Jason O'Conal <jason@oconal.id.au>