2394749 – (CVE-2025-10148) CVE-2025-10148 curl: predictable WebSocket mask

Bug 2394749 (CVE-2025-10148) - CVE-2025-10148 curl: predictable WebSocket mask

Summary: CVE-2025-10148 curl: predictable WebSocket mask

Keywords:
Status:	NEW
Alias:	CVE-2025-10148
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2394854 2394853
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-12 06:01 UTC by OSIDB Bzimport
Modified:	2025-09-12 18:16 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-12 06:01:22 UTC

curl's websocket code did not update the 32 bit mask pattern for each new
 outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
crizzo
csutherl
dbosanac
gtanzill
jbuscemi
jclere
jmitchel
jreimann
kshier
mdessi
mrizzi
pcattana
pjindal
plodge
sdawley
stcannon
szappis
vchlup
yguenane