Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1064

False Positive for CVE-2025-0725

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • None
    • oval
    • False
    • Hide

      None

      Show
      None
    • False
    • Important
    • Very Likely
    • 0

      Current Behavior

      libcurl-minimal is vulnerable for CVE-2025-0725 regardless of the installed zlib version. The CVE description clearly states:

      “When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.”

       

      Expected Behavior

      Isn't the libcurl-minimal incorrectly flagged for the CVE-2025-0725. Should this CVE flagged under `zlib` pkg ?

       

      Steps to reproduce

      • Install libcurl-minimal and zlib packages together
      • libcurl-minimal version is `7.76.1-31.el9`
      • zlib version is `1.2.11-40.el9`
      • scan this image using trivy
      • We can see CVE-2025-0725 reported under libcurl-minimal pkg

       

      Attachments & Links

              rhn-support-ymittal Yogesh Mittal
              sairohith.kommineni@aquasec.com Sai Rohith Kommineni (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: