Vulnerability CVE-2025-15079: Information

Description

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

Severity: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-15079
Published: Jan. 8, 2026
Modified: Jan. 20, 2026
Error type identifier: CWE-297

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus8.18.0-alt18.18.0-alt1ALT-PU-2026-1133-1404633Fixed
curlsisyphus_riscv648.18.0-alt18.18.0-alt1ALT-PU-2026-1147-1-Fixed
curlsisyphus_loongarch648.18.0-alt18.18.0-alt1ALT-PU-2026-1153-1-Fixed
curlp118.18.0-alt18.18.0-alt1ALT-PU-2026-1135-2404638Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.se/docs/CVE-2025-15079.html
  • Vendor Advisory
  • Patch
https://curl.se/docs/CVE-2025-15079.json
  • Vendor Advisory
https://hackerone.com/reports/3477116
  • Exploit
  • Issue Tracking
  • Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/6
  • Mailing List
  • Third Party Advisory
  • Patch
    1. cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      Start including
      7.58.0
      End excluding
      8.18.0
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v25.10.0
Back to top