Description
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- low
- Availability
- none
- Weaknesses
- CWE-297
Metadata
- Primary Vendor
- HAXX
- Published
- 3/27/2024
- Last Modified
- 7/30/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
haxx : curlapple : macosapple : macosapple : macosnetapp : h700s_firmwarenetapp : bootstrap_osnetapp : h300s_firmwarenetapp : h410s_firmwarenetapp : h500s_firmware
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.