2426409 – (CVE-2025-15079) CVE-2025-15079 curl: Host verification bypass during SSH transfers

Bug 2426409 (CVE-2025-15079) - CVE-2025-15079 curl: Host verification bypass during SSH transfers

Summary: CVE-2025-15079 curl: Host verification bypass during SSH transfers

Keywords:
Status:	NEW
Alias:	CVE-2025-15079
Deadline:	2026-01-07
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-31 04:09 UTC by OSIDB Bzimport
Modified:	2026-04-08 08:41 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-31 04:09:20 UTC

When doing SSH-based transfers using either SCP or SFTP, and setting the
knownhosts file, libcurl could still mistakenly accept connecting to hosts
*not present* in the specified file if they were added as recognized in the
libssh *global* knownhosts file.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
crizzo
csutherl
dbosanac
gtanzill
jbuscemi
jcantril
jclere
jmitchel
jreimann
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rojacob
sdawley
security-response-team
stcannon
szappis
teagle
vchlup
yguenane