CVE-2025-15224

Published Jan 8, 2026

Last updated a month ago

CVSS low 3.1
Curl
Libcurl

Overview

Description
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
Source
2499f714-1537-4658-8207-48ae4bb9eae9
NVD status
Analyzed
Products
curl

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.1
Impact score
1.4
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity
LOW

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-287

Social media

Hype score
Not currently trending

  1. 🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2025-15224 impacts curl-minimal in 40 Lambda base images. Details: https://t.co/L2QCvQiGfL More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    19 Feb 2026

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-15224 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally runn… https://t.co/52lIru92N5

    @CVEnew

    8 Jan 2026

    167 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.CVE-2025-11563
  2. When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.CVE-2025-15079
  3. When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.CVE-2025-14819
  4. When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.CVE-2025-14524
  5. When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.CVE-2025-13034

References

Sources include official advisories and independent security research.