WebSocket endless loop
======================
Project curl Security Advisory, June 4 2025 -
[Permalink](https://curl.se/docs/CVE-2025-5399.html)
VULNERABILITY
-------------
Due to a mistake in libcurl's WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.
There is no other way for the application to escape or exit this loop other
than killing the thread/process.
This might be used to DoS libcurl-using application.
INFO
----
The problem does not occur if "auto-pong" is disabled with the
`CURLWS_NOAUTOPONG` option.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-5399 to this issue.
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: curl 8.13.0 to and including 8.14.0
- Not affected versions: curl < 8.13.0 and >= 8.14.1
- Introduced-in: https://github.com/curl/curl/commit/3588df9478d7c270
libcurl is used by many applications, but not always advertised as such!
This bug is **not** considered a *C mistake*. It is not likely to have been
avoided had we not been using C.
This flaw does not affect the curl command line tool.
SOLUTION
------------
Starting in curl 8.14.1, this mistake is fixed.
- Fixed-in: https://github.com/curl/curl/commit/d1145df24de8f80e6b16
RECOMMENDATIONS
--------------
A - Upgrade curl to version 8.14.1
B - Apply the patch to your local version
C - Avoid using WebSocket
TIMELINE
--------
This issue was reported to the curl project on May 30, 2025. We contacted
distros@openwall on June 2, 2025.
curl 8.14.1 was released on June 4 2025 around 07:00 UTC, coordinated with the
publication of this advisory.
The curl security team is not aware of any active exploits using this
vulnerability.
CREDITS
-------
- Reported-by: z2_ on hackerone
- Patched-by: z2_ on hackerone
Thanks a lot!
--
/ daniel.haxx.se || https://rock-solid.curl.dev
