CVE-2025-11563 PUBLISHED

wcurl path traversal with percent-encoded slashes

Assigner: curl
Reserved: 09.10.2025 Published: 25.02.2026 Updated: 25.02.2026

URLs containing percent-encoded slashes (/ or \) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it.

This flaw only affects the wcurl command line tool.

Product Status

Vendor	curl
Product	curl
Versions	Default: unaffected affected from 8.17.0 to 8.17.0 (incl.) affected from 8.16.0 to 8.16.0 (incl.) affected from 8.15.0 to 8.15.0 (incl.) affected from 8.14.1 to 8.14.1 (incl.) affected from 8.14.0 to 8.14.0 (incl.)

Credits

Stanislav Fort (Aisle Research) finder
Samuel Henrique remediation developer
Sergio Durigan Junior remediation developer
Xi Ruoyao remediation developer

References

json
www

Problem Types

CWE-35 Path Traversal