CVE-2025-11563

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://curl.se/docs/CVE-2025-11563.html	Patch Vendor Advisory
https://curl.se/docs/CVE-2025-11563.json	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/04/1	Mailing List Third Party Advisory
https://lists.debian.org/debian-release/2025/11/msg00504.html	Mailing List Third Party Advisory Patch

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:curl:wcurl:*:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 08:16

Updated : 2026-02-26 20:06

NVD link : CVE-2025-11563

Mitre link : CVE-2025-11563

CVE.ORG link : CVE-2025-11563

JSON object : View

Products Affected

curl

wcurl

haxx

curl

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-11563", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2026-02-25T08:16:18.337", "references": [{"url": "https://curl.se/docs/CVE-2025-11563.html", "tags": ["Patch", "Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2025-11563.json", "tags": ["Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/04/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-release/2025/11/msg00504.html", "tags": ["Mailing List", "Third Party Advisory", "Patch"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into\nsaving the output file outside of the current directory without the user\nexplicitly asking for it.\n\nThis flaw only affects the wcurl command line tool."}, {"lang": "es", "value": "Las URL que contienen barras codificadas por porcentaje ('/' o '\\') pueden enga\u00f1ar a wcurl para que guarde el archivo de salida fuera del directorio actual sin que el usuario lo solicite expl\u00edcitamente.\n\nEste fallo solo afecta a la herramienta de l\u00ednea de comandos wcurl."}], "lastModified": "2026-02-26T20:06:37.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:curl:wcurl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E74B21B-AEC7-4FE3-AF2D-E30036CF6B49", "versionEndExcluding": "2025-11-09", "versionStartIncluding": "2024-12-08"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7DBCC6EF-C6A7-4AB4-96CA-A72C6F264D26", "versionEndExcluding": "8.18.0", "versionStartIncluding": "8.14.0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9"}