Bug 2394749 (CVE-2025-10148)

Summary: CVE-2025-10148 curl: predictable WebSocket mask
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, crizzo, csutherl, dbosanac, gtanzill, jbuscemi, jclere, jmitchel, jreimann, kshier, mdessi, mrizzi, pbohmill, pcattana, pjindal, plodge, sdawley, stcannon, szappis, teagle, vchlup, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in curl. The use of a predictable WebSocket mask pattern allows a malicious server to induce traffic that an intermediary proxy (whether configured or transparent) will misinterpret as a standard HTTP request. This confusion leads to a cache poisoning attack, where the proxy stores the server's malicious content and serves it to all users of that proxy.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2394854, 2394853    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-12 06:01:22 UTC 
curl's websocket code did not update the 32 bit mask pattern for each new
 outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.