CVE-2025-5399

WebSocket endless loop

Description

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop.

There is no other way for the application to escape or exit this loop other than killing the thread/process.

This might be used to DoS libcurl-using application.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

7.5

Severity

High

Ecosystem

APK

Publish Date

June 4, 2025

Modified Date

May 26, 2026

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions