Vulnerability CVE-2025-15224: Information

Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Severity: LOW (3.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-15224
Published: Jan. 8, 2026
Modified: Jan. 8, 2026
Error type identifier: CWE-287

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus8.18.0-alt18.18.0-alt1ALT-PU-2026-1133-1404633Fixed
curlsisyphus_riscv648.18.0-alt18.18.0-alt1ALT-PU-2026-1147-1-Fixed
curlsisyphus_loongarch648.18.0-alt18.18.0-alt1ALT-PU-2026-1153-1-Fixed
curlp118.18.0-alt18.14.1-alt2ALT-PU-2026-1135-1404638Testing

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.se/docs/CVE-2025-15224.html
    https://curl.se/docs/CVE-2025-15224.json
      https://hackerone.com/reports/3480925
        http://www.openwall.com/lists/oss-security/2026/01/07/7
          VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
          Version: v25.10.0
          Back to top