CVE-2025-11563
4.6
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
How to fix CVE-2025-11563
To remediate CVE-2025-11563, upgrade the affected package to a fixed version below.
- Debian/curl—upgrade to 8.14.1-2+deb13u2 or later
Is CVE-2025-11563 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 8.14.1-2+deb13u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |