libcurl up to 8.11.1 integer overflow

Summaryinfo

A vulnerability was found in libcurl. It has been declared as critical. This affects an unknown function. The manipulation results in integer overflow. This vulnerability is known as CVE-2025-0725. It is possible to launch the attack remotely. No exploit is available.

Detailsinfo

A vulnerability was found in libcurl. It has been classified as critical. Affected is some unknown processing. The manipulation with an unknown input leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-680. The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

The weakness was published by z2_. The advisory is shared for download at curl.se. This vulnerability is traded as CVE-2025-0725 since 01/27/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 215180 (SUSE SLES15 Security Update : curl (SUSE-SU-2025:0372-1)), which helps to determine the existence of the flaw in a target environment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at Tenable (215180) and CERT Bund (WID-SEC-2025-0270). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• SUSE Linux
• IBM AIX
• Dell NetWorker
• Dell Avamar
• Open Source cURL
• NetApp Data ONTAP
• Tenable Security Nessus Network Monitor
• Splunk Splunk Enterprise

Productinfo

Type

• Network Utility Software

Name

• libcurl

Version

• 7.10.5
• 7.10.6
• 7.10.7
• 7.10.8
• 7.11.0
• 7.11.1
• 7.11.2
• 7.12.0
• 7.12.1
• 7.12.2
• 7.12.3
• 7.13.0
• 7.13.1
• 7.13.2
• 7.14.0
• 7.14.1
• 7.15.0
• 7.15.1
• 7.15.2
• 7.15.3
• 7.15.4
• 7.15.5
• 7.16.0
• 7.16.1
• 7.16.2
• 7.16.3
• 7.16.4
• 7.17.0
• 7.17.1
• 7.18.0
• 7.18.1
• 7.18.2
• 7.19.0
• 7.19.1
• 7.19.2
• 7.19.3
• 7.19.4
• 7.19.5
• 7.19.6
• 7.19.7
• 7.20.0
• 7.20.1
• 7.21.0
• 7.21.1
• 7.21.2
• 7.21.3
• 7.21.4
• 7.21.5
• 7.21.6
• 7.21.7
• 7.22.0
• 7.23.0
• 7.23.1
• 7.24.0
• 7.25.0
• 7.26.0
• 7.27.0
• 7.28.0
• 7.28.1
• 7.29.0
• 7.30.0
• 7.31.0
• 7.32.0
• 7.33.0
• 7.34.0
• 7.35.0
• 7.36.0
• 7.37.0
• 7.37.1
• 7.38.0
• 7.39.0
• 7.40.0
• 7.41.0
• 7.42.0
• 7.42.1
• 7.43.0
• 7.44.0
• 7.45.0
• 7.46.0
• 7.47.0
• 7.47.1
• 7.48.0
• 7.49.0
• 7.49.1
• 7.50.0
• 7.50.1
• 7.50.2
• 7.50.3
• 7.51.0
• 7.52.0
• 7.52.1
• 7.53.0
• 7.53.1
• 7.54.0
• 7.54.1
• 7.55.0
• 7.55.1
• 7.56.0
• 7.56.1
• 7.57.0
• 7.58.0
• 7.59.0
• 7.60.0
• 7.61.0
• 7.61.1
• 7.62.0
• 7.63.0
• 7.64.0
• 7.64.1
• 7.65.0
• 7.65.1
• 7.65.2
• 7.65.3
• 7.66.0
• 7.67.0
• 7.68.0
• 7.69.0
• 7.69.1
• 7.70.0
• 7.71.0
• 7.71.1
• 7.72.0
• 7.73.0
• 7.74.0
• 7.75.0
• 7.76.0
• 7.76.1
• 7.77.0
• 7.78.0
• 7.79.0
• 7.79.1
• 7.80.0
• 7.81.0
• 7.82.0
• 7.83.0
• 7.83.1
• 7.84.0
• 7.85.0
• 7.86.0
• 7.87.0
• 7.88.0
• 7.88.1
• 8.0.0
• 8.0.1
• 8.1.0
• 8.1.1
• 8.1.2
• 8.2.0
• 8.2.1
• 8.3.0
• 8.4.0
• 8.5.0
• 8.6.0
• 8.7.0
• 8.7.1
• 8.8.0
• 8.9.0
• 8.9.1
• 8.10.0
• 8.10.1
• 8.11.0
• 8.11.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion