ALPINE-CVE-2025-4947 — Vulnetix

Try Vulnetix Request Demo

ALPINE-CVE-2025-4947 PUBLISHED CVSS 6.5 MEDIUM

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.23	curl	7.37.1-r0, 7.50.3-r0, 7.50.2-r0
Alpine:v3.22	curl	8.3.0-r1, 8.11.0-r1, 8.11.0-r0
Alpine:v3.20	curl	7.21.1-r0, 0, 7.19.2-r0
Alpine:v3.19	curl	0, 8.9.1-r1, 8.9.1-r0
Alpine:v3.21	curl	8.0.0-r0, 7.88.1-r1, 7.88.1-r0

Timeline

May 28, 2025 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2025-4947 advisory

Open in Interactive Console →