vulnerability

Arch Linux: Denial of service (CVE-2025-5399)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Jun 7, 2025	Jul 11, 2025	Nov 27, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Jun 7, 2025

Added

Jul 11, 2025

Modified

Nov 27, 2025

Description

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.

There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

Solution

arch-linux-upgrade-latest

References

CVE-2025-5399
https://attackerkb.com/topics/CVE-2025-5399
URL-https://curl.se/docs/CVE-2025-5399.html
URL-https://curl.se/docs/CVE-2025-5399.json
URL-https://hackerone.com/reports/3168039
URL-https://security.archlinux.org/ASA-202506-2
CWE-835

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today