Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Known Risks Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / No QUIC certificate pinning with GnuTLS
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2540 USD

CVE-2025-13034

No QUIC certificate pinning with GnuTLS

Project curl Security Advisory, January 7 2026 - Permalink

VULNERABILITY

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

INFO

curl contains support for several different QUIC and TLS backends. Other QUIC backends or the ngtcp2 backend built with another TLS library are not affected by this flaw.

If instead connecting to a server over HTTP/1 or HTTP/2, the pinning check works fine and does properly detect impostors.

This issue is similar to CVE-2025-5025 but for a different TLS library.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-13034 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

SOLUTION

Starting in curl 8.18.0, this mistake is fixed.

RECOMMENDATIONS

A - Upgrade curl to version 8.18.0

B - Build curl with another TLS library

C - Avoid using HTTP/3

TIMELINE

This issue was reported to the curl project on November 9, 2025. We contacted distros@openwall on December 30, 2025.

curl 8.18.0 was released on January 7 2026 around 07:00 UTC, coordinated with the publication of this advisory.

The curl security team is not aware of any active exploits using this vulnerability.

CREDITS

Thanks a lot!