{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2025-11563",
  "aliases": [
    "CVE-2025-11563"
  ],
  "summary": "wcurl path traversal with percent-encoded slashes",
  "modified": "2026-01-07T07:59:34.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "wcurl",
    "URL": "https://curl.se/docs/CVE-2025-11563.json",
    "www": "https://curl.se/docs/CVE-2025-11563.html",
    "CWE": {
      "id": "CWE-35",
      "desc": "Path Traversal"
    },
    "last_affected": "8.17.0",
    "severity": "Moderate"
  },
  "published": "2026-01-07T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {"introduced": "8.14.0"},
            {"fixed": "8.18.0"}
          ]
        },
        {
          "type": "GIT",
          "repo": "https://github.com/curl/curl.git",
          "events": [
            {"introduced": "23bed347b3892277938259"},
            {"fixed": "79d3e1d7d44dda65fdc303a53a44109583135b12"}
          ]
        },
        {
          "type": "GIT",
          "repo": "https://github.com/curl/wcurl.git",
          "events": [
            {"introduced": "e01d578582a23695ee3cec08"},
            {"fixed": "65546bae0164a97d89d42176e366d9c7c7796261"}
          ]
        }
      ],
      "versions": [
        "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Stanislav Fort (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Samuel Henrique",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Sergio Durigan Junior",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Xi Ruoyao",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into\nsaving the output file outside of the current directory without the user\nexplicitly asking for it.\n\nThis flaw only affects the wcurl command line tool."
}