SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-0665

CVE-2025-0665: Haxx Curl Use-After-Free Vulnerability

CVE-2025-0665 is a use-after-free vulnerability in Haxx Curl's libcurl that causes double-closing of eventfd file descriptors during threaded name resolution. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-0665 Overview

libcurl would wrongly close the same eventfd file descriptor twice when taking
down a connection channel after having completed a threaded name resolve.

Critical Impact

This vulnerability can be exploited remotely resulting in potential denial of service conditions or further exploits like remote code execution due to underlying resource misuse.

Affected Products

  • haxx curl
  • netapp bootstrap_os
  • netapp hci_compute_node

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to haxx
  • Not Available - CVE CVE-2025-0665 assigned
  • Not Available - haxx releases security patch
  • 2025-02-05 - CVE CVE-2025-0665 published to NVD
  • 2025-07-30 - Last updated in NVD database

Technical Details for CVE-2025-0665

Vulnerability Analysis

The vulnerability arises when libcurl closes an eventfd file descriptor twice, leading to improper resource management. This could result in unexpected behavior or system crashes, making systems running affected versions of libcurl vulnerable to potential disruption services.

Root Cause

The root cause is the mismanagement of file descriptors in the codebase, specifically closing the same eventfd descriptor twice.

Attack Vector

Network-based attacks can be leveraged to exploit this vulnerability, often requiring no prior authentication or more than nominal user interaction.

c
// Example exploitation code (sanitized)
int fd = eventfd(0, 0);
if (fd == -1) {
    perror("eventfd");
    exit(EXIT_FAILURE);
}
// Incorrectly closing the descriptor twice can lead to undefined behavior
close(fd);
// Vulnerability occurs here
close(fd);

Detection Methods for CVE-2025-0665

Indicators of Compromise

  • Unusual error logs related to eventfd operations
  • Unexpected process terminations
  • Repeated resource exhaustion alerts

Detection Strategies

Utilize monitoring tools to detect repeated close() operations on the same file descriptor. Additionally, track system logs for anomalies in process behavior following network communications relying on threaded name resolution.

Monitoring Recommendations

Employ comprehensive runtime protection via SentinelOne's cutting-edge behavioral AI to monitor and block unexpected system calls and resource operations indicative of potential exploit attempts on vulnerable libcurl instances.

How to Mitigate CVE-2025-0665

Immediate Actions Required

  • Update to the latest patch of curl as per vendor recommendations
  • Monitor network access logs for repeated or failed connection attempts
  • Restrict network access to services using vulnerable libcurl versions

Patch Information

Refer to the vendor's advisory for updates and security patches as available at curl's CVE advisory.

Workarounds

Implement stricter file descriptor management within your application until a patch can be applied. Consider isolating vulnerable processes into containers for enhanced security.

bash
# Example of isolating a process in a temporary container
docker run --rm -v /app:/app isolated-libcurl:latest

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne