{"id":"CURL-CVE-2025-15079","summary":"libssh global known_hosts override","details":"When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.","aliases":["CVE-2025-15079"],"modified":"2026-04-25T20:22:26.715329Z","published":"2026-01-07T08:00:00Z","database_specific":{"award":{"currency":"USD","amount":"505"},"URL":"https://curl.se/docs/CVE-2025-15079.json","severity":"Low","issue":"https://hackerone.com/reports/3477116","last_affected":"8.17.0","www":"https://curl.se/docs/CVE-2025-15079.html","affects":"both","CWE":{"id":"CWE-297","desc":"Improper Validation of Certificate with Host Mismatch"},"package":"curl"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.58.0"},{"fixed":"8.18.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"c92d2e14cfb0db662f958effd2ac86f995cf1b5a"},{"fixed":"adca486c125d9a6d9565b9607a19dce803a8b479"}]}],"versions":["8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:22:26Z","vanir_signatures":[{"id":"CURL-CVE-2025-15079-2a01c048","signature_type":"Line","deprecated":false,"target":{"file":"lib/vssh/libssh.c"},"source":"https://github.com/curl/curl.git/commit/adca486c125d9a6d9565b9607a19dce803a8b479","signature_version":"v1","digest":{"line_hashes":["154575153157544741194860835334875511962","309481514725220947052872221583547583347","254045176640521679480925776028254756608","140624623419491185855662600675706734772"],"threshold":0.9}},{"id":"CURL-CVE-2025-15079-95faa990","signature_type":"Function","deprecated":false,"target":{"file":"lib/vssh/libssh.c","function":"myssh_connect"},"source":"https://github.com/curl/curl.git/commit/adca486c125d9a6d9565b9607a19dce803a8b479","signature_version":"v1","digest":{"length":2963,"function_hash":"179759690000595925597507395316046644025"}}],"source":"https://curl.se/docs/CURL-CVE-2025-15079.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}