Arch Linux Security Advisory ASA-202506-2 ========================================= Severity: Low Date : 2025-06-05 CVE-ID : CVE-2025-5399 Package : curl Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2895 Summary ======= The package curl before version 8.14.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 8.14.1-1. # pacman -Syu "curl>=8.14.1-1" The problem has been fixed upstream in version 8.14.1. Workaround ========== None. Description =========== Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Impact ====== A remote attacker can send a specially crafted WebSocket frame that triggers an infinite busy-loop in libcurl, causing the application to hang indefinitely potentially leading to a denial of service. References ========== https://curl.se/docs/CVE-2025-5399.html https://github.com/curl/curl/commit/d1145df24de8f80e6b16 https://security.archlinux.org/CVE-2025-5399