Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / gzip integer overflow
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 505 USD

CVE-2025-0725

gzip integer overflow

Project curl Security Advisory, February 5th 2025 - Permalink

VULNERABILITY

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

INFO

This problem can only trigger when using a run-time zlib version 1.2.0.3 or older. zlib 1.2.0.4 was released on August 10, 2003. This means zlib versions that do not trigger this problem have been available and used for more than twenty-one years already. A zlib version 1.2.0.3 or earlier still in use is vulnerable to a wide range of security problems and a user using this is already in a spectacularly bad position.

libcurl featured code that at run-time takes a different code path for zlib versions before 1.0.2.4 because of lack of functionality in those old versions, and this rarely used piece of code contained the vulnerable code path.

This bug is considered a C mistake. It is likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0725 to this issue.

CWE-680: Integer Overflow to Buffer Overflow

Severity: Low

While the impact of this problem is potentially huge, we struggled with setting a severity combined with the knowledge that a user vulnerable to this is using an over twenty years old and vulnerable zlib and has practially "given up" all security. If there actually exist users vulnerable to this flaw in the world, they most likely already have worse problems than this to deal with.

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

Starting in version 8.12.0, libcurl no longer supports zlib < 1.2.0.4. Using such a version will now instead cause a run-time error.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.12.0

B - Apply the patch to your version and rebuild

C - Use a modern zlib

D - Avoid using the CURLOPT_ACCEPT_ENCODING option

TIMELINE

This issue was reported to the curl project on January 23, 2025. We contacted distros@openwall on January 28, 2025.

curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!