CVE-2025-0665 and CVE-2025-072 - curl 8.11.1-r0 - fixed in curl 8.12.0-r0

Question

CVE-2025-0665 and CVE-2025-072 - curl 8.11.1-r0 - fixed in curl 8.12.0-r0

Closed this issue 9 months ago · 2 comments

Describe the bug

This two new CVE's are present in the alpine images, due to curl being on version 8.11.1-r0. An update to 8.12.0-r0 is already available for alpine. I am not sure about the version with the debian bookworm based images.

Answer 1 · 2025-02-19T12:24:55.000Z

Hey @Totto16 -- if you check the README and the SECURITY docs, you will see that curl is not one of the packages considered to be critical to nginx, and is not used by nginx in any way or shape. That being said, this issue should be fixed in the latest image builds.

Answer 2 · 2025-02-19T12:56:21.000Z

I just reported it, since there was a similar issue #242