CVE-2025-0725

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

• curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: https://github.com/curl/curl/commit/019c4088cfcca0d2b7c5cc4f52ca5dac0c616089 (curl-7_10_5) Fixed by: https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7fe141010077eb88 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older