Vulnerability Description
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | >= 8.11.0, < 8.16.0 |
References
- https://curl.se/docs/CVE-2025-10148.htmlVendor AdvisoryPatch
- https://curl.se/docs/CVE-2025-10148.jsonVendor Advisory
- https://hackerone.com/reports/3330839Issue TrackingThird Party Advisory
- http://www.openwall.com/lists/oss-security/2025/09/10/2Mailing ListThird Party AdvisoryPatch
- http://www.openwall.com/lists/oss-security/2025/09/10/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2025/09/10/4Mailing ListThird Party Advisory
FAQ
What is CVE-2025-10148?
CVE-2025-10148 is a vulnerability with a CVSS score of 5.3 (MEDIUM). curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire conn...
How severe is CVE-2025-10148?
CVE-2025-10148 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10148?
Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl.