CVE-2025-15079: libcurl SSH Host Verification Bypass

CVE-2025-15079 Overview

CVE-2025-15079 is a certificate validation bypass vulnerability in libcurl that affects SSH-based file transfers using SCP or SFTP protocols. When applications configure a specific known_hosts file for SSH host key verification, libcurl may incorrectly accept connections to hosts that are not present in the specified file if those hosts exist in the libssh global known_hosts file. This behavior undermines the security controls intended by the application developer, potentially allowing man-in-the-middle attacks.

Critical Impact
Applications relying on custom known_hosts files for strict host verification may inadvertently connect to unauthorized SSH servers, potentially exposing sensitive data during SCP/SFTP transfers.

Affected Products

libcurl (versions using libssh backend for SCP/SFTP)
Applications using libcurl for SSH-based file transfers with custom known_hosts configuration

Discovery Timeline

2026-01-07 - Vulnerability disclosed on Openwall OSS Security mailing list
2026-01-08 - CVE CVE-2025-15079 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-15079

Vulnerability Analysis

This vulnerability is classified as CWE-297 (Improper Validation of Certificate with Host Mismatch). The core issue lies in how libcurl handles SSH host key verification when using the libssh backend for SCP and SFTP transfers.

When an application explicitly sets a custom known_hosts file via the CURLOPT_SSH_KNOWNHOSTS option, the expectation is that only hosts present in that specific file will be accepted. However, due to a flaw in the host verification logic, libcurl also consults the libssh global known_hosts file (typically located at /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts) and accepts connections to hosts found there, even if they are absent from the application-specified file.

This behavior violates the principle of least privilege and breaks the security model that applications may depend on for isolating SSH trust decisions. The vulnerability requires network access and user interaction, making exploitation more complex but still viable in targeted attack scenarios.

Root Cause

The root cause stems from improper precedence handling in libcurl's SSH host key verification code when using the libssh backend. Instead of exclusively checking the user-specified known_hosts file, the verification logic falls through to check the global libssh known hosts database. This creates an unexpected trust relationship where hosts trusted globally by the system are also implicitly trusted by applications attempting to enforce stricter host verification policies.

Attack Vector

The attack vector is network-based and requires an attacker to position themselves between the victim application and the intended SSH server. An attacker could exploit this vulnerability through the following scenario:

The target application uses libcurl with a custom known_hosts file for SCP/SFTP transfers to a specific set of trusted servers
The attacker adds their malicious SSH server's host key to the system's global known_hosts file (requires prior system compromise or social engineering)
Through DNS spoofing, ARP poisoning, or BGP hijacking, the attacker redirects the application's SSH connection to their malicious server
Due to this vulnerability, libcurl accepts the connection because the attacker's host key exists in the global known_hosts file, bypassing the application's intended strict verification
The attacker can intercept, modify, or exfiltrate data from the SCP/SFTP transfer

The attack complexity is high because it requires either prior access to modify the global known_hosts file or a combination of network-level attacks and user interaction.

Detection Methods for CVE-2025-15079

Indicators of Compromise

Unexpected SSH connections to IP addresses not associated with configured transfer targets
Discrepancies between hosts in application-specific known_hosts files and actual connection destinations
SSH connection logs showing successful authentication to hosts not in the custom known_hosts file
Network traffic analysis revealing SCP/SFTP sessions to unexpected destinations

Detection Strategies

Audit applications using libcurl with CURLOPT_SSH_KNOWNHOSTS option for SCP/SFTP functionality
Compare the global known_hosts file contents against expected trusted hosts to identify potentially malicious entries
Implement network monitoring to detect SSH connections to unexpected destinations from applications using libcurl
Review system logs for modifications to global SSH known_hosts files

Monitoring Recommendations

Enable verbose logging for libcurl operations in affected applications to track SSH host verification decisions
Monitor filesystem changes to /etc/ssh/ssh_known_hosts and user-level ~/.ssh/known_hosts files
Implement network segmentation and firewall rules to restrict SSH outbound connections to approved destinations
Deploy intrusion detection signatures for anomalous SCP/SFTP traffic patterns

How to Mitigate CVE-2025-15079

Immediate Actions Required

Review all applications using libcurl for SSH-based file transfers (SCP/SFTP) with custom known_hosts configurations
Audit and restrict the contents of global SSH known_hosts files to minimize trust surface
Consider implementing additional network-level controls to restrict SSH connections to known, trusted servers
Monitor cURL project advisories for patches addressing this vulnerability

Patch Information

The cURL project has documented this vulnerability in their security advisory. For detailed patch information and affected version details, refer to the cURL CVE-2025-15079 Documentation. The vulnerability was also reported through the HackerOne Bug Bounty Program and discussed on the Openwall OSS Security mailing list.

Organizations should update to patched versions of libcurl as soon as they become available. Check the cURL CVE-2025-15079 JSON Data for machine-readable vulnerability details and version information.

Workarounds

Implement strict firewall rules limiting SSH connections to explicitly allowed destination hosts
Use SSH certificate-based authentication instead of known_hosts file verification where possible
Deploy a network proxy or bastion host for all SSH-based file transfers to centralize trust decisions
Consider using alternative libcurl backends that may not exhibit this behavior (verify before deployment)

bash

# Configuration example - Restrict SSH outbound connections at firewall level
# Allow SSH only to known trusted hosts
iptables -A OUTPUT -p tcp --dport 22 -d trusted.server.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j DROP

# Audit global known_hosts file for unexpected entries
diff /etc/ssh/ssh_known_hosts /path/to/expected_known_hosts

CVE-2025-15079 Overview

Critical Impact
Applications relying on custom known_hosts files for strict host verification may inadvertently connect to unauthorized SSH servers, potentially exposing sensitive data during SCP/SFTP transfers.

Affected Products

libcurl (versions using libssh backend for SCP/SFTP)
Applications using libcurl for SSH-based file transfers with custom known_hosts configuration

Discovery Timeline

2026-01-07 - Vulnerability disclosed on Openwall OSS Security mailing list
2026-01-08 - CVE CVE-2025-15079 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-15079

Vulnerability Analysis

Root Cause

Attack Vector

The target application uses libcurl with a custom known_hosts file for SCP/SFTP transfers to a specific set of trusted servers
The attacker adds their malicious SSH server's host key to the system's global known_hosts file (requires prior system compromise or social engineering)
Through DNS spoofing, ARP poisoning, or BGP hijacking, the attacker redirects the application's SSH connection to their malicious server
Due to this vulnerability, libcurl accepts the connection because the attacker's host key exists in the global known_hosts file, bypassing the application's intended strict verification
The attacker can intercept, modify, or exfiltrate data from the SCP/SFTP transfer

The attack complexity is high because it requires either prior access to modify the global known_hosts file or a combination of network-level attacks and user interaction.

Detection Methods for CVE-2025-15079

Indicators of Compromise

Unexpected SSH connections to IP addresses not associated with configured transfer targets
Discrepancies between hosts in application-specific known_hosts files and actual connection destinations
SSH connection logs showing successful authentication to hosts not in the custom known_hosts file
Network traffic analysis revealing SCP/SFTP sessions to unexpected destinations

Detection Strategies

Audit applications using libcurl with CURLOPT_SSH_KNOWNHOSTS option for SCP/SFTP functionality
Compare the global known_hosts file contents against expected trusted hosts to identify potentially malicious entries
Implement network monitoring to detect SSH connections to unexpected destinations from applications using libcurl
Review system logs for modifications to global SSH known_hosts files

Monitoring Recommendations

Enable verbose logging for libcurl operations in affected applications to track SSH host verification decisions
Monitor filesystem changes to /etc/ssh/ssh_known_hosts and user-level ~/.ssh/known_hosts files
Implement network segmentation and firewall rules to restrict SSH outbound connections to approved destinations
Deploy intrusion detection signatures for anomalous SCP/SFTP traffic patterns

How to Mitigate CVE-2025-15079

Immediate Actions Required

Review all applications using libcurl for SSH-based file transfers (SCP/SFTP) with custom known_hosts configurations
Audit and restrict the contents of global SSH known_hosts files to minimize trust surface
Consider implementing additional network-level controls to restrict SSH connections to known, trusted servers
Monitor cURL project advisories for patches addressing this vulnerability

Patch Information

Workarounds

Implement strict firewall rules limiting SSH connections to explicitly allowed destination hosts
Use SSH certificate-based authentication instead of known_hosts file verification where possible
Deploy a network proxy or bastion host for all SSH-based file transfers to centralize trust decisions
Consider using alternative libcurl backends that may not exhibit this behavior (verify before deployment)

bash

# Configuration example - Restrict SSH outbound connections at firewall level
# Allow SSH only to known trusted hosts
iptables -A OUTPUT -p tcp --dport 22 -d trusted.server.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j DROP

# Audit global known_hosts file for unexpected entries
diff /etc/ssh/ssh_known_hosts /path/to/expected_known_hosts

CVE-2025-15079: libcurl SSH Host Verification Bypass

CVE-2025-15079 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-15079

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-15079

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-15079

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-15079: libcurl SSH Host Verification Bypass

CVE-2025-15079 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-15079

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-15079

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-15079

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform