A vulnerability (CVE-2025-0665) has been discovered in libcurl, a widely used multi-protocol file transfer library. The issue is caused by the library incorrectly closing the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. This could potentially lead to various issues, including crashes and undefined behavior in applications using libcurl.
In this long-read post, we will look at the details of the vulnerability, a code snippet demonstrating the issue, and the original references discussing the vulnerability. We'll also explore possible exploits related to this issue and any available patches to mitigate the vulnerability.
Vulnerability Details
The vulnerability is present in the version of libcurl when it takes down a connection channel after having completed a threaded name resolve, which may lead to various issues ranging from crashes to entirely undefined behavior in the affected applications.
A code snippet demonstrating the problematic code can be seen below
/* Populates conn->async.dns with the resolved hostname */
void Curl_resolver_is_resolved(struct connectdata *conn, bool *status)
{
struct timeval now = Curl_tvnow();
DEBUGASSERT(conn);
DEBUGASSERT(!conn->async.host);
DEBUGASSERT(!conn->async.ipv4);
DEBUGASSERT(!conn->async.ipv6);
DEBUGASSERT(conn->async.done);
/* clear the dns cache entry and close the corresponding eventfd
file descriptor only if the caller didn't do it yet */
if(!conn->async.os_specific) {
conn->async.dns = NULL;
if(conn->async.dnshost) {
free(conn->async.dnshost);
conn->async.dnshost = NULL;
}
Curl_close(conn->async.os_specific);
conn->async.os_specific = NULL;
}
}
The problematic code occurs as Curl_close() is called two times on conn->async.os_specific, which is the same eventfd file descriptor. This leads to the eventfd file descriptor being closed twice in the affected version of libcurl.
Original References
The vulnerability was originally discovered and reported by libcurl's security team, and it can be found in the libcurl security advisories list:
- libcurl: Security advisory CVE-2025-0665
- libcurl Github Repository
Possible Exploits
It should be noted that while the vulnerability can cause crashes and undefined behavior in the affected applications, no known practical exploits have been found to take advantage of the vulnerability remotely. Nevertheless, developers should be cautious and apply the related patches to safeguard applications against this issue.
Patch and Mitigation
A patch has been provided by the libcurl maintainers, which resolves the vulnerability. The patch can be found in the relevant libcurl repository commit:
- CVE-2025-0665: Fix incorrect double close of eventfd in threaded resolver
Developers using the affected version of libcurl are strongly advised to update their library with the patched version as soon as possible. Additionally, developers should always ensure that applications using libcurl are up-to-date and follow best practices in securing their systems and software.
Conclusion
The vulnerability (CVE-2025-0665) in libcurl, caused by the library incorrectly closing the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve, can lead to crashes and undefined behavior in applications using libcurl. Developers should apply the available patches and update their library to the latest version to address this issue. By staying vigilant and keeping their systems and applications up-to-date, developers can minimize the potential risks associated with this vulnerability.
Timeline
Published on: 02/05/2025 10:15:22 UTC
Last modified on: 02/05/2025 20:15:45 UTC