Due to a mistake in libcurl's WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.
There is no other way for the application to escape or exit this loop other
than killing the thread/process.
This might be used to DoS libcurl-using application.
Metrics
Affected Vendors & Products
References
History
Wed, 30 Jul 2025 19:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Haxx
Haxx curl |
|
CPEs | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
Vendors & Products |
Haxx
Haxx curl |
Tue, 10 Jun 2025 02:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-835 | |
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 09 Jun 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Sat, 07 Jun 2025 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Sat, 07 Jun 2025 08:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. | |
Title | WebSocket endless loop | |
References |
|

Status: PUBLISHED
Assigner: curl
Published: 2025-06-07T07:49:09.370Z
Updated: 2025-06-09T13:20:29.843Z
Reserved: 2025-05-31T15:02:27.226Z
Link: CVE-2025-5399

Updated: 2025-06-07T08:05:07.254Z

Status : Analyzed
Published: 2025-06-07T08:15:20.687
Modified: 2025-07-30T19:41:33.457
Link: CVE-2025-5399
