Skip to content

wcurl: Really fix CVE-2025-11563 #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samueloph merged 1 commit into from
Nov 9, 2025
Merged

wcurl: Really fix CVE-2025-11563 #75

samueloph merged 1 commit into from
Nov 9, 2025

Conversation

@xry111
Copy link
Contributor

@xry111 xry111 commented Nov 9, 2025

When we pass a string to is_safe_percent_encode, it always begins with "%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so nothing can be matched.

Also update the test suite to fix the false positive.

@xry111
wcurl: Really fix CVE-2025-11563
65546ba 
When we pass a string to is_safe_percent_encode, it always begins with
"%'.  But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.

Also update the test suite to fix the false positive.

Signed-off-by: Xi Ruoyao <[email protected]>
@xry111 xry111 force-pushed the xry111/cve-2025-11563-2 branch from 8bd1c71 to 65546ba Compare November 9, 2025 06:38
@xry111 xry111 mentioned this pull request Nov 9, 2025
Merged
7 tasks
@samueloph samueloph merged commit 65546ba into curl:main Nov 9, 2025
4 checks passed
@samueloph
Copy link
Collaborator

samueloph commented Nov 9, 2025

@xry111 thank you for the report and patch, we had an initial version of our fix which was thoroughly tested and confirmed to work, but then we refactored it later and relied on the unit tests, which was not correctly checking the fix.

I'm merging this and creating a new release: 2025.11.09

MingcongBai pushed a commit to AOSC-Tracking/curl that referenced this pull request Nov 10, 2025
@samueloph @MingcongBai
FROMLIST: wcurl: import v2025.11.09
2539b9f 
Link: curl/wcurl#75
Link: curl#19430
Signed-off-by: Mingcong Bai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xry111 @samueloph