CVE-2025-15079

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N                                    

Vulnerability Description

When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* known_hosts file.

Vulnerability Details

Published Date

January 08, 2026

Last Modified

January 20, 2026

CWE ID

CWE-297

Source

NVD

Vendor

haxx

Product

curl

External References

https://curl.se/docs/CVE-2025-15079.html
https://curl.se/docs/CVE-2025-15079.json
https://hackerone.com/reports/3477116
http://www.openwall.com/lists/oss-security/2026/01/07/6

CVE-2025-15079

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment