{"id":"CVE-2025-4947","details":"libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.","aliases":["CURL-CVE-2025-4947"],"modified":"2026-03-23T05:08:28.454001525Z","published":"2025-05-28T07:15:24.780Z","related":["SUSE-SU-2025:03198-1","SUSE-SU-2025:20675-1","openSUSE-SU-2025:15176-1"],"references":[{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2025-4947.json"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2025/05/28/4"},{"type":"FIX","url":"https://curl.se/docs/CVE-2025-4947.html"},{"type":"FIX","url":"https://hackerone.com/reports/3150884"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"fd567d4f06857f4fc8e2f64ea727b1318f76ad33"},{"fixed":"4dacb79fcdd9364c1083e06f6a011d797a344f47"}],"database_specific":{"versions":[{"introduced":"8.8.0"},{"fixed":"8.14.0"}]}}],"versions":["curl-8_10_0","curl-8_10_1","curl-8_11_0","curl-8_11_1","curl-8_12_0","curl-8_12_1","curl-8_13_0","curl-8_8_0","curl-8_9_0","curl-8_9_1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4947.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}