CVE-2025-15224 Overview
CVE-2025-15224 is an authentication bypass vulnerability in cURL affecting SSH-based file transfers. When performing SCP or SFTP transfers with public key authentication configured, cURL incorrectly communicates with and authenticates using a locally running SSH agent, even when the user has not explicitly authorized its use. This improper authentication behavior (CWE-287) could allow unintended authentication actions to occur without the user's explicit consent.
Critical Impact
SSH-based transfers may authenticate using an unintended SSH agent, potentially leading to unauthorized actions or authentication with unintended credentials.
Affected Products
- cURL (versions with SSH/SCP/SFTP support)
- Applications and systems utilizing libcurl for SSH-based transfers
- Environments with locally running SSH agents
Discovery Timeline
- 2026-01-07 - Vulnerability disclosed via Openwall OSS-Security mailing list
- 2026-01-08 - CVE CVE-2025-15224 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-15224
Vulnerability Analysis
This vulnerability represents an improper authentication issue in cURL's SSH transfer handling. When users configure cURL to perform SSH-based transfers (SCP or SFTP) with public key authentication, the software incorrectly queries and authenticates using any locally running SSH agent. This occurs regardless of whether the user intended to use the SSH agent for that specific operation.
The root cause lies in how cURL interacts with the underlying SSH library during authentication setup. Instead of strictly honoring the user's authentication configuration, cURL inadvertently allows the SSH agent to participate in the authentication process when one is available on the system.
Root Cause
The vulnerability stems from improper authentication flow handling (CWE-287) in cURL's SSH subsystem. When public key authentication is requested for SCP or SFTP transfers, cURL fails to properly isolate the authentication context from locally available SSH agents. This allows the SSH agent to respond to authentication challenges even when the user has explicitly configured a different authentication method or specific key.
Attack Vector
This is a network-based vulnerability that requires user interaction to exploit. The attack scenario involves:
- A user configures cURL for SSH-based transfers with specific public key authentication settings
- An SSH agent is running locally on the same system
- When cURL initiates the transfer, it improperly queries the SSH agent
- The SSH agent responds with available keys and potentially completes authentication
- This may result in authentication using unintended credentials stored in the SSH agent
The vulnerability has a network attack vector but requires high complexity conditions and user interaction, as the attacker would need to influence the user's environment or the SSH agent state.
Detection Methods for CVE-2025-15224
Indicators of Compromise
- Unexpected SSH agent socket access during cURL SCP/SFTP operations
- Authentication logs showing SSH agent-based authentication when key file authentication was expected
- Unusual SSH key usage patterns in audit logs
Detection Strategies
- Monitor SSH agent socket activity during cURL operations
- Audit authentication logs for SCP/SFTP transfers initiated by cURL
- Implement logging for SSH authentication method selection
- Review cURL command invocations that include SSH-related options
Monitoring Recommendations
- Enable verbose logging for cURL operations involving SSH protocols
- Monitor SSH_AUTH_SOCK environment variable usage during cURL executions
- Track authentication events correlating with cURL processes
- Implement alerting for unexpected SSH agent interactions
How to Mitigate CVE-2025-15224
Immediate Actions Required
- Review and update cURL installations to patched versions
- Audit systems for running SSH agents in environments where this could pose a risk
- Consider temporarily disabling SSH agent forwarding where not required
- Review cURL-based scripts and applications for SSH transfer usage
Patch Information
cURL has released a security patch addressing this vulnerability. Users should update to the latest patched version of cURL. Detailed patch information and updated releases are available through the official cURL security advisory. The vulnerability was also reported and tracked via HackerOne Report #3480925.
Workarounds
- Unset or clear the SSH_AUTH_SOCK environment variable before executing cURL commands for SSH-based transfers
- Stop or disable the SSH agent when not required for operations
- Use explicit key file authentication with -i flag and ensure no agent is queried
- Consider using alternative tools for SSH transfers until patching is complete
- Implement wrapper scripts that sanitize the environment before cURL invocations
# Workaround: Disable SSH agent for cURL operations
unset SSH_AUTH_SOCK
curl -k sftp://example.com/file -u user: --key ~/.ssh/specific_key
# Alternative: Run cURL with empty SSH_AUTH_SOCK
SSH_AUTH_SOCK= curl scp://example.com/file --key ~/.ssh/mykey
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
