CVE-2025-0725

HighPublic PoC

Published: 05 February 2025

Published

05 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0060 69.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0725 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Netapp Hci Baseboard Management Controller. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the libcurl buffer overflow from integer overflow in gzip decompression with old zlib versions.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

RA-5 mandates vulnerability scanning to identify systems running vulnerable libcurl configurations with zlib 1.2.0.3 or older.

SI-16 Memory Protection partial match

prevent

SI-16 implements memory protections such as ASLR and DEP that mitigate exploitation of the buffer overflow even if the vulnerable libcurl code executes.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Buffer overflow in libcurl client during HTTP response processing enables remote exploitation for client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

Deeper analysisAI

CVE-2025-0725 is a buffer overflow vulnerability in libcurl triggered by an attacker-controlled integer overflow during automatic gzip decompression of content-encoded HTTP responses when the CURLOPT_ACCEPT_ENCODING option is enabled, specifically when using zlib 1.2.0.3 or older. This issue affects libcurl implementations configured for automatic decompression in such environments and is classified as CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')). The vulnerability received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) upon its publication on 2025-02-05.

A remote, unauthenticated attacker can exploit this vulnerability by controlling an HTTP response with gzip encoding that the target libcurl instance processes. Exploitation requires no user interaction or privileges and can occur over the network with low attack complexity. Successful exploitation leads to a buffer overflow, potentially resulting in limited impacts to confidentiality, integrity, and availability as per the CVSS assessment.

Official advisories and patch details are provided by the curl project at https://curl.se/docs/CVE-2025-0725.html and https://curl.se/docs/CVE-2025-0725.json, with additional context in the originating HackerOne report at https://hackerone.com/reports/2956023 and discussions on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/02/05/3 and http://www.openwall.com/lists/oss-security/2025/02/06/2.

Details

CWE(s): CWE-120

Affected Products

netapp

hci baseboard management controller

all versions

netapp

hci h610s firmware

all versions

netapp

hci h610c firmware

all versions

netapp

hci h615c firmware

all versions

netapp

solidfire \& hci management node

all versions

netapp

solidfire \& hci storage node

all versions

haxx

curl

7.10.5 — 8.12.0

haxx

libcurl

7.10.5 — 8.12.0

CVEs Like This One

CVE-2025-1861Same product class: NAS / storage appliance

CVE-2025-52864Same product class: NAS / storage appliance

CVE-2025-52863Same product class: NAS / storage appliance

CVE-2025-52872Same product class: NAS / storage appliance

CVE-2024-56171Same product: Netapp Solidfire \& Hci Management Node

CVE-2025-27423Same product class: NAS / storage appliance

CVE-2020-37050Shared CWE-120

CVE-2024-57509Shared CWE-120

CVE-2020-37075Shared CWE-120

CVE-2025-26512Same product class: NAS / storage appliance

References

https://curl.se/docs/CVE-2025-0725.html
Vendor Advisory · 2499f714-1537-4658-8207-48ae4bb9eae9
https://curl.se/docs/CVE-2025-0725.json
Vendor Advisory · 2499f714-1537-4658-8207-48ae4bb9eae9
https://hackerone.com/reports/2956023
Exploit, Issue Tracking · 2499f714-1537-4658-8207-48ae4bb9eae9
http://www.openwall.com/lists/oss-security/2025/02/05/3
Mailing List · af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2025/02/06/2
Mailing List · af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2025/02/06/4
Mailing List · af854a3a-2127-422b-91ae-364da2661108
https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7
Patch · af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250306-0009/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108