CVE-2025-5399

HIGH7.5

WebSocket endless loop

Published Jun 7, 2025

Modified 9 months ago

Details

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.

There is no other way for the application to escape or exit this loop other than killing the thread/process.

This might be used to DoS libcurl-using application.

References

WEB

http://www.openwall.com/lists/oss-security/2025/06/04/2

WEB

https://curl.se/docs/CVE-2025-5399.html

WEB

https://curl.se/docs/CVE-2025-5399.json

WEB

https://hackerone.com/reports/3168039

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-5399

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ecosystems

Timeline

PublishedJun 7, 2025

ModifiedJun 9, 2025