CVE-2025-11563
Published: November 7, 2025Last modified: December 22, 2025
Description
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.6 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | curl | Not affected (8.1.0-r2) |
| 25 LTS | curl | Vulnerable (8.14.0-r1) | |
| Stream | curl | Fixed (8.17.0-r0) | |
| Hardened Containers | Stream | curl | Fixed (8.17.0-r0) |