CVE-2025-14017: libcurl LDAPS transfers (LDAP over TLS) vulnerability

A flaw was discovered in libcurl, where When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
https://nvd.nist.gov/vuln/detail/CVE-2025-14017

Affected Versions

- libcurl versions 7.17.0 up to (excluding) 8.18.0

CVSS 4.x Severity and Vector Strings

- NIST: NVD
- N/A
- NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings

- NIST: NVD
- N/A
- NVD assessment not yet provided.
- ADP: CISA-ADP
- Base Score: 6.3 MEDIUM
- Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVE-2025-14819: libcurl TLS transfers vulnerability

A flaw was discovered in libcurl, where when doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
https://nvd.nist.gov/vuln/detail/CVE-2025-14819

Affected Versions

- libcurl versions 7.87.0 up to (excluding) 8.18.0

CVSS 4.x Severity and Vector Strings

- NIST: NVD
- N/A
- NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings

- NIST: NVD
- N/A
- NVD assessment not yet provided.
- ADP: CISA-ADP
- Base Score: 5.3 MEDIUM
- Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact

Per Isode Support, the vulnerabilities do not impact Isode and Enterprise Vault, as the LDAP code from libcurl is not used.

While an impacted version of libcurl may be present on the Enterprise Vault servers, Enterprise Vault does not use the affected module or workflow. Therefore the vulnerability is not exposed and can not be exploited.

Mitigation

As Enterprise Vault is not affected, no mitigation or resolution is required.

Note - It is NOT recommended to attempt upgrading the libcurl component independently as this can cause unexpected product behaviour in Enterprise Vault.

Questions

For questions or problems regarding these vulnerabilities please contact Technical Support.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Impact of CVE-2025-14017 and CVE-2025-14819 affecting libcurl in Enterprise Vault