{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2014-8151",
  "aliases": [
    "CVE-2014-8151"
  ],
  "summary": "Secure Transport certificate check bypass",
  "modified": "2026-05-19T11:21:50.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2014-8151.json",
    "www": "https://curl.se/docs/CVE-2014-8151.html",
    "CWE": {
      "id": "CWE-297",
      "desc": "Improper Validation of Certificate with Host Mismatch"
    },
    "last_affected": "7.39.0",
    "severity": "Medium"
  },
  "published": "2015-01-08T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.31.0"},
             {"fixed": "7.40.0"}
           ]
        }      ],
      "versions": [
        "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", 
        "7.33.0", "7.32.0", "7.31.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Marc Hesse at RethinkDB",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl stores TLS Session IDs in its associated Session ID cache when it\nconnects to TLS servers. In subsequent connects it reuses the entry in the\ncache to resume the TLS connection faster than when doing a full TLS\nhandshake. The actual implementation for the Session ID caching varies\ndepending on the underlying TLS backend.\n\nlibcurl allows applications to switch off certificate verification in two\ndifferent ways - using `CURLOPT_SSL_VERIFYHOST` and `CURLOPT_SSL_VERIFYPEER`.\n\nWhen an application connected to a TLS server with certificate verification\ndisabled, it would store the Session ID in the cache and if then a subsequent\nconnection was made against the same host and port number, it would reuse the\nformer session and thanks to the reused session from the cache, it would skip\nthe certificate check and wrongly accept any bad certificate that could be\npresented.\n\nThe problem was that the \"key\" used for caching Session IDs did not take the\ncertificate check status into account.\n\nThis problem is specific to libcurl built to use the Secure Transport backend\nfor TLS, so it can only affect Mac and iPhone based applications."
}