CVE-2025-10966
Publication date 5 November 2025
Last updated 12 November 2025
Ubuntu priority
Description
curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.
Read the notes from the security team
Why is this CVE low priority?
Curl developers have rated this as being a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| curl | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
introduced in: https://github.com/curl/curl/commit/6773c7ca65cf2183295e56 Ubuntu package does not use the wolfSSL backend.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |