curl (SUSE:Linux Enterprise Module for Basesystem 15 SP6) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Basesystem 15 SP6 package curl, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (15)
CVE-2024-6197 — CVSS 7.5 (high): libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return…
CVE-2025-9086 — CVSS 7.5 (high): 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target`…
CVE-2025-5399 — CVSS 7.5 (high): Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in…
CVE-2025-0725 — CVSS 7.3 (high): When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option…
CVE-2025-0665 — CVSS 7.0 (high): libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded…
CVE-2025-4947 — CVSS 6.5 (medium): libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the…
CVE-2024-7264 — CVSS 6.5 (medium): libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically…
CVE-2024-8096 — CVSS 6.5 (medium): When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server…
CVE-2024-9681 — CVSS 6.5 (medium): When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or…
CVE-2025-10148 — CVSS 5.3 (medium): curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed…
CVE-2025-5025 — CVSS 4.8 (medium): libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when…
CVE-2025-11563 — CVSS 4.6 (medium): URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without…
CVE-2024-6874 — CVSS 4.3 (medium): libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN…
CVE-2024-11053 — CVSS 3.4 (low): When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host…
CVE-2025-0167 — CVSS 3.4 (low): When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to…