CVE-2025-0725

Severity CVSS v4.0:
Pending analysis
Type:
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
05/02/2025
Last modified:
27/06/2025

Description

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:netapp:hci_baseboard_management_controller:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:hci_h610s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_h610s:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:hci_h610c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_h610c:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:hci_h615c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_h615c:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire_\&_hci_storage_node:-:*:*:*:*:*:*:*
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* 7.10.5 (including) 8.12.0 (excluding)
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* 7.10.5 (including) 8.12.0 (excluding)
cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:* 1.2.0.3 (including)