CVE-2025-11563 — MEDIUM (4.6)

Q: How severe is CVE-2025-11563?

CVE-2025-11563 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-11563?

Check the references section above for vendor advisories and patch information. Affected products include: Curl Wcurl, Haxx Curl.

Vulnerability Description

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Curl	Wcurl	>= 2024-12-08, < 2025-11-09
Haxx	Curl	>= 8.14.0, < 8.18.0

Related Weaknesses (CWE)

CWE-22

References

https://curl.se/docs/CVE-2025-11563.htmlPatchVendor Advisory
https://curl.se/docs/CVE-2025-11563.jsonVendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/04/1Mailing ListThird Party Advisory
https://lists.debian.org/debian-release/2025/11/msg00504.htmlMailing ListThird Party AdvisoryPatch

FAQ

What is CVE-2025-11563?

CVE-2025-11563 is a vulnerability with a CVSS score of 4.6 (MEDIUM). URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the...

How severe is CVE-2025-11563?

CVE-2025-11563 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-11563?

Check the references section above for vendor advisories and patch information. Affected products include: Curl Wcurl, Haxx Curl.