ALPINE-CVE-2025-4947

ALPINE-CVE-2025-4947 PUBLISHED CVSS 6.5 MEDIUM

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.23	curl	8.0.0-r0, 8.9.1-r2, 8.9.1-r1
Alpine:v3.22	curl	0, 8.9.1-r2, 8.9.1-r1
Alpine:v3.20	curl	7.34.0-r0, 0, 7.19.2-r0
Alpine:v3.19	curl	8.9.1-r1, 8.9.1-r0, 8.9.0-r0
Alpine:v3.21	curl	8.9.1-r0, 8.9.0-r0, 8.8.0-r1

Exploit Intelligence

glcve_test.go (github-poc)

Timeline

May 28, 2025 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2025-4947 advisory

Open in Interactive Console →