CVE-2025-15224
Public on 2026-01-08
Modified on 2026-01-08
Description
libssh key passphrase bypass without agent set
NOTE: https://curl.se/docs/CVE-2025-15224.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa (curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend
NOTE: https://curl.se/docs/CVE-2025-15224.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa (curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | curl | 2026-02-19 | ALAS2-2026-3173 | Fixed |
| Amazon Linux 2023 | curl | 2026-02-18 | ALAS2023-2026-1375 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |