CVE-2025-13034

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://curl.se/docs/CVE-2025-13034.html	Patch Vendor Advisory
https://curl.se/docs/CVE-2025-13034.json	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

History

17 Jun 2026, 08:33

Type	Values Removed	Values Added
References	~~() https://curl.se/docs/CVE-2025-13034.html - Vendor Advisory, Patch~~	() https://curl.se/docs/CVE-2025-13034.html - Patch, Vendor Advisory
Summary		(es) Al usar la opción 'CURLOPT_PINNEDPUBLICKEY' con libcurl o '--pinnedpubkey' con la herramienta curl, curl debería verificar la clave pública del certificado del servidor para verificar el par. Esta verificación se omitió en una determinada condición que luego haría que curl permitiera la conexión sin realizar la verificación adecuada, sin notar así un posible impostor. Para omitir esta verificación, la conexión tenía que hacerse con QUIC con ngtcp2 compilado para usar GnuTLS y el usuario tenía que deshabilitar explícitamente la verificación estándar del certificado.

20 Jan 2026, 14:54

Type	Values Removed	Values Added
References	~~() https://curl.se/docs/CVE-2025-13034.html -~~	() https://curl.se/docs/CVE-2025-13034.html - Vendor Advisory, Patch
References	~~() https://curl.se/docs/CVE-2025-13034.json -~~	() https://curl.se/docs/CVE-2025-13034.json - Vendor Advisory
First Time		Haxx curl Haxx
CPE		cpe:2.3:a:haxx:curl::::::::

08 Jan 2026, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
CWE		CWE-295

08 Jan 2026, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 10:15

Updated : 2026-06-17 08:33

NVD link : CVE-2025-13034

Mitre link : CVE-2025-13034

CVE.ORG link : CVE-2025-13034

JSON object : View

Products Affected

haxx

curl

CWE

CWE-295

Improper Certificate Validation

5.9 /10