Sign In

CVE-2025-10148

ADVISORY - nist

Summary

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

EPSS Score: 0.00037 (0.105)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-noinfo

Impacted images

Advisories

Alpine

CREATED

UPDATED

ADVISORY IDCVE-2025-10148
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY
PackageTypeOS NameOS VersionAffected RangesFix Versions
alpine/curlapkalpine3.20<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.20<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.19<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.19<=8.11.1-r0Not yet available
alpine/curlapkalpine3.19<=8.11.1-r1Not yet available
alpine/curlapkalpine3.19<=8.12.0-r0Not yet available
alpine/curlapkalpine3.19<=8.12.1-r0Not yet available
alpine/curlapkalpine3.19<=8.9.1-r1Not yet available
alpine/curlapkalpine3.22<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.21<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.21<=8.11.0-r2Not yet available
alpine/curlapkalpine3.21<=8.11.1-r0Not yet available
alpine/curlapkalpine3.21<=8.11.1-r1Not yet available
alpine/curlapkalpine3.21<=8.12.0-r0Not yet available
alpine/curlapkalpine3.21<=8.12.1-r0Not yet available
alpine/curlapkalpine3.21<=8.12.1-r1Not yet available
alpine/curlapkalpine3.21<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.22<8.14.1-r28.14.1-r2
alpine/curlapkalpine3.22<=8.14.1-r1Not yet available
alpine/curlapkalpineedge<8.16.0-r08.16.0-r0
alpine/curlapkalpineedge<=8.11.0-r2Not yet available
alpine/curlapkalpineedge<=8.11.1-r0Not yet available
alpine/curlapkalpineedge<=8.11.1-r1Not yet available
alpine/curlapkalpineedge<=8.12.0-r0Not yet available
alpine/curlapkalpineedge<=8.12.1-r0Not yet available
alpine/curlapkalpineedge<=8.12.1-r1Not yet available
alpine/curlapkalpineedge<=8.13.0-r0Not yet available
alpine/curlapkalpineedge<=8.13.0-r1Not yet available
alpine/curlapkalpineedge<=8.14.0-r0Not yet available
alpine/curlapkalpineedge<=8.14.0-r1Not yet available
alpine/curlapkalpineedge<=8.14.0-r2Not yet available
alpine/curlapkalpineedge<=8.14.1-r0Not yet available
alpine/curlapkalpineedge<=8.14.1-r1Not yet available
alpine/curlapkalpineedge<=8.14.1-r2Not yet available
alpine/curlapkalpineedge<=8.15.0-r0Not yet available
alpine/curlapkalpineedge<=8.15.0-r1Not yet available
alpine/curlapkalpineedge<=8.15.0-r2Not yet available
alpine/curlapkalpineedge<8.16.0-r08.16.0-r0
alpine/curlapkalpine3.23<8.16.0-r08.16.0-r0
alpine/curlapkalpine3.20<=8.11.0-r2Not yet available
alpine/curlapkalpine3.20<=8.11.1-r0Not yet available
alpine/curlapkalpine3.20<=8.11.1-r1Not yet available
alpine/curlapkalpine3.20<=8.12.0-r0Not yet available
alpine/curlapkalpine3.20<=8.12.1-r0Not yet available
alpine/curlapkalpine3.19<8.14.1-r28.14.1-r2

Severity and metrics

No CVSS data available from this advisory.

NIST

CREATED

UPDATED

ADVISORY IDCVE-2025-10148
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-noinfo

CVSS SCORE

5.3medium

Debian

CREATED

UPDATED

ADVISORY IDCVE-2025-10148
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2025-10148
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Photon

CREATED

UPDATED

ADVISORY ID

CVE-2025-10148

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

5.3medium