CVE-2025-4947 is a medium-severity vulnerability affecting multiple recent versions of the curl library (versions 8.8.0 through 8.13.0). The issue stems from improper certificate validation (CWE-295) specifically when curl establishes QUIC protocol connections to hosts identified by IP addresses rather than domain names. In this scenario, libcurl erroneously skips the crucial step of verifying the server's TLS certificate. This flaw undermines the security guarantees of TLS over QUIC by allowing attackers to impersonate legitimate servers or perform man-in-the-middle (MITM) attacks without detection. Since the certificate validation is bypassed, an attacker positioned on the network path could intercept or manipulate data exchanged over QUIC connections initiated by vulnerable curl versions when the target is specified via IP address. The vulnerability does not require any user interaction or privileges and can be exploited remotely over the network. The CVSS 3.1 base score is 6.5 (medium), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, and no patches were linked at the time of publication. This vulnerability highlights a subtle but impactful flaw in the certificate validation logic for QUIC connections, which is critical given the increasing adoption of QUIC for performance and security benefits in web and application traffic.

For European organizations, the vulnerability poses a tangible risk to the confidentiality and integrity of data transmitted over QUIC connections using curl when IP addresses are used directly. Many enterprise and cloud applications, internal tools, and automation scripts rely on curl for data transfer and API communication. If these tools connect to services via IP addresses, attackers could intercept sensitive information such as credentials, tokens, or proprietary data, or inject malicious content without detection. This risk is amplified in sectors with high security requirements like finance, healthcare, and government, where data breaches can lead to regulatory penalties under GDPR and loss of trust. The vulnerability could also facilitate lateral movement within networks if attackers exploit it to compromise internal services. Although no availability impact is expected, the breach of confidentiality and integrity can have severe operational and reputational consequences. The lack of known exploits suggests limited current active threat, but the vulnerability’s presence in widely used curl versions means organizations should act promptly to prevent future exploitation.

Organizations should immediately audit their use of curl, especially scripts and applications that initiate QUIC connections using IP addresses in URLs. Where possible, replace IP addresses with fully qualified domain names (FQDNs) to ensure proper certificate validation. Update curl to the latest patched version once available from the vendor to address the certificate validation bypass. In the interim, consider disabling QUIC protocol support in curl if feasible to avoid exposure. Network-level mitigations such as enforcing TLS inspection and monitoring for anomalous QUIC traffic may help detect exploitation attempts. Additionally, implement strict certificate pinning or mutual TLS authentication for critical services to reduce reliance on default validation. Security teams should review logs for unusual QUIC connection patterns and prepare incident response plans for potential MITM scenarios. Finally, educate developers and system administrators about the risks of using IP addresses in secure connections and encourage best practices for secure communication.