{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2025-5399",
  "aliases": [
    "CVE-2025-5399"
  ],
  "summary": "WebSocket endless loop",
  "modified": "2025-06-04T07:44:49.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2025-5399.json",
    "www": "https://curl.se/docs/CVE-2025-5399.html",
    "issue": "https://hackerone.com/reports/3168039",
    "CWE": {
      "id": "CWE-835",
      "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')"
    },
    "award": {
      "amount": "505",
      "currency": "USD"
    },
    "last_affected": "8.14.0",
    "severity": "Low"
  },
  "published": "2025-06-04T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.13.0"},
             {"fixed": "8.14.1"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "3588df9478d7c27046b34cdb510728a26bedabc7"},
             {"fixed": "d1145df24de8f80e6b167fbc4f28b86bcd0c6832"}
           ]
        }
      ],
      "versions": [
        "8.14.0", "8.13.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "z2_ on hackerone",
      "type": "FINDER"
    },
    {
      "name": "z2_ on hackerone",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "Due to a mistake in libcurl's WebSocket code, a malicious server can send a\nparticularly crafted packet which makes libcurl get trapped in an endless\nbusy-loop.\n\nThere is no other way for the application to escape or exit this loop other\nthan killing the thread/process.\n\nThis might be used to DoS libcurl-using application."
}