WebSocket endless loop
Description
A crafted WebSocket packet can cause libcurl to enter an infinite busy-loop, leading to denial of service in applications using libcurl versions 8.13.0 through 8.14.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted WebSocket packet can cause libcurl to enter an infinite busy-loop, leading to denial of service in applications using libcurl versions 8.13.0 through 8.14.0.
Vulnerability
A flaw in libcurl's WebSocket handling code causes an infinite busy-loop when a malicious server sends a specially crafted packet. The loop has no exit condition, trapping the application indefinitely. The bug affects libcurl versions 8.13.0 to 8.14.0 inclusive; versions before 8.13.0 and after 8.14.0 are not vulnerable. The issue does not affect the curl command-line tool [1].
Exploitation
An attacker must operate a WebSocket server that the victim application connects to. No authentication or prior access is required. The attacker sends a single crafted WebSocket packet to the client; upon processing, libcurl enters the endless busy-loop. The application cannot escape the loop except by killing the thread or process [1].
Impact
Successful exploitation results in a denial of service (DoS). The affected application becomes unresponsive and must be terminated. No data confidentiality or integrity is compromised; the attack only affects availability [1].
Mitigation
Upgrade to libcurl version 8.14.1, released on June 4, 2025, which contains the fix. Alternatively, apply the patch from commit d1145df24de8f80e6b16. As a workaround, disable auto-pong by setting the CURLWS_NOAUTOPONG option, which prevents the vulnerable code path. Avoid using WebSocket functionality if neither upgrade nor workaround is possible [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- osv-coords23 versionspkg:rpm/almalinux/mecabpkg:rpm/almalinux/mecab-develpkg:rpm/almalinux/mecab-ipadicpkg:rpm/almalinux/mecab-ipadic-EUCJPpkg:rpm/almalinux/mysqlpkg:rpm/almalinux/mysql8.4-commonpkg:rpm/almalinux/mysql8.4-errmsgpkg:rpm/almalinux/mysql8.4-test-datapkg:rpm/almalinux/mysql-commonpkg:rpm/almalinux/mysql-develpkg:rpm/almalinux/mysql-errmsgpkg:rpm/almalinux/mysql-libspkg:rpm/almalinux/mysql-selinuxpkg:rpm/almalinux/mysql-serverpkg:rpm/almalinux/mysql-testpkg:rpm/almalinux/mysql-test-datapkg:rpm/almalinux/rapidjson-develpkg:rpm/almalinux/rapidjson-docpkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.1
< 0.996-3.module_el9.6.0+152+8cbce00c.4+ 22 more
- (no CPE)range: < 0.996-3.module_el9.6.0+152+8cbce00c.4
- (no CPE)range: < 0.996-3.module_el9.6.0+152+8cbce00c.4
- (no CPE)range: < 2.7.0.20070801-24.module_el9.6.0+152+8cbce00c
- (no CPE)range: < 2.7.0.20070801-24.module_el9.6.0+152+8cbce00c
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-2.el10_0
- (no CPE)range: < 8.4.6-2.el10_0
- (no CPE)range: < 8.4.6-2.el10_0
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 1.0.14-1.el10_0
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 8.4.6-1.module_el9.6.0+180+a4e757e5
- (no CPE)range: < 1.1.0-19.module_el9.6.0+152+8cbce00c
- (no CPE)range: < 1.1.0-19.module_el9.6.0+152+8cbce00c
- (no CPE)range: < 8.14.1-150600.4.28.1
- (no CPE)range: < 8.14.1-4.1
- (no CPE)range: < 8.14.1-150600.4.28.1
- (no CPE)range: < 8.14.1-150600.4.28.1
- (no CPE)range: < 8.14.1-slfo.1.1_1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.