Primary

Context

curl WebSocket Predictable Mask Vulnerability Allowing Cache Poisoning

Vulnerability

Patched

A vulnerability exists in curl's WebSocket implementation, specifically in versions 8.11.0 through 8.15.0. The issue arises because the WebSocket code fails to update the 32-bit mask pattern for each outgoing frame, as required by the WebSocket specification (RFC 6455). Instead, a fixed mask is used throughout the entire connection. This predictable masking allows a malicious server to manipulate traffic between two parties, potentially poisoning the cache of an involved proxy (either configured or transparent) with fake HTTP content. This cached, poisoned content could then be served to users of that proxy, leading to further exploitation.

Impact

Exploitation of this vulnerability can lead to cache poisoning on proxies that misinterpret WebSocket traffic as regular HTTP, potentially allowing malicious content to be served to users.

Remediation

Users are advised to upgrade curl to version 8.16.0 or later, where this vulnerability has been fixed.

Added: Sep 12, 2025, 6:30 AM

Updated: Sep 12, 2025, 6:30 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.4

remediation

7.9

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.4

remediation

7.9

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

curl WebSocket Predictable Mask Vulnerability Allowing Cache Poisoning

Vulnerability

Impact

Remediation

Affected Products

curl

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating