CVE-2025-0725

Published Feb 5, 2025

Last updated 9 months ago

CVSS high 7.3
Libcurl

Overview

Description
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
Source
2499f714-1537-4658-8207-48ae4bb9eae9
NVD status
Analyzed
Products
hci_baseboard_management_controller, hci_h610s_firmware, hci_h610c_firmware, hci_h615c_firmware, solidfire_\&_hci_management_node, solidfire_\&_hci_storage_node, curl, libcurl

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.3
Impact score
3.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-120

Social media

Hype score
Not currently trending

  1. CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions https://t.co/DbCVPzbJ2I #bugbounty #bugbountytips #bugbountytip

    @bountywriteups

    27 Apr 2025

    794 Impressions

    0 Retweets

    13 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. ⚑ CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions πŸ‘¨πŸ»β€πŸ’» z2_ ➟ Internet Bug Bounty 🟨 Low πŸ’° None πŸ”— https://t.co/5rCfkePvL1 #bugbounty #bugbountytips #cybersecurity #infosec https://t.co/gxIbeT5i5e

    @h1Disclosed

    27 Apr 2025

    443 Impressions

    0 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. Android exploit trends remain steady over 30 days, with CVE-2025-0725 and others consistently at 0.3% incidence. Details: [https://t.co/ReJ5dWnTRd](https://t.co/tej1yYFNGt) Created by AI. #Android #Cybersecurity

    @Funker_Dev

    4 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. New data shows CVE-2025 vulnerabilities rising, with CVE-2025-0725 leading at 0.3%. Details: https://t.co/tej1yYFNGt Created by AI. #Android #Cybersecurity

    @Funker_Dev

    24 Feb 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Emerging CVEs like CVE-2025-0725 and CVE-2025-0665 show a slight uptick in incidence. Details: https://t.co/tej1yYFNGt Created by AI. #Android #Cybersecurity

    @Funker_Dev

    13 Feb 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-0725 (CVSS:7.3, HIGH) is Received. When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT..https://t.co/jQk3lC4XzE #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    10 Feb 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-0725 When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older… https://t.co/zRgyBC31hA

    @CVEnew

    5 Feb 2025

    363 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.β€’CVE-2026-3805
  2. curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.β€’CVE-2026-3784
  3. When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.β€’CVE-2026-3783
  4. libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).β€’CVE-2026-1965
  5. When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.β€’CVE-2025-15224

References

Sources include official advisories and independent security research.