[manjaro-security] [ASA-202506-2] curl: denial of service
Andrea Denisse
denisse at archlinux.org
Fri Jun 13 22:31:41 CEST 2025
Arch Linux Security Advisory ASA-202506-2
=========================================
Severity: Low
Date : 2025-06-05
CVE-ID : CVE-2025-5399
Package : curl
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2895
Summary
=======
The package curl before version 8.14.1-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 8.14.1-1.
# pacman -Syu "curl>=8.14.1-1"
The problem has been fixed upstream in version 8.14.1.
Workaround
==========
None.
Description
===========
Due to a mistake in libcurl's WebSocket code, a malicious server can
send a particularly crafted packet which makes libcurl get trapped in
an endless busy-loop.
There is no other way for the application to escape or exit this loop
other than killing the thread/process. This might be used to DoS
libcurl-using application.
Impact
======
A remote attacker can send a specially crafted WebSocket frame that
triggers an infinite busy-loop in libcurl, causing the application to
hang indefinitely potentially leading to a denial of service.
References
==========
https://curl.se/docs/CVE-2025-5399.html
https://github.com/curl/curl/commit/d1145df24de8f80e6b16
https://security.archlinux.org/CVE-2025-5399
More information about the manjaro-security
mailing list