Unrated severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026

No QUIC certificate pinning with GnuTLS

CVE-2025-13034

Description

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Affected products

Curl/CurlOSV2 versions
curl-8_10_0, curl-8_10_1, curl-8_11_0, …+ 1 more
- (no CPE)range: curl-8_10_0, curl-8_10_1, curl-8_11_0, …
- (no CPE)
Curl/Libcurlllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000