Vulnerability Assessment - CVE-2025-14819 for Symantec VIP Enterprise Gateway
Article ID: 427471
Updated On:
Products
Issue/Introduction
A certificate validation bypass vulnerability exists in the OpenSSL backend of libcurl. Under specific configuration changes between transfers, libcurl may inadvertently accept a partial SSL/TLS certificate trust chain that should have been rejected by the security policy.
-
CVE ID: CVE-2025-14819
-
Severity: Low
-
Affected Versions:
curl7.87.0 through 8.17.0
The vulnerability occurs when a handle is reused and the CURLSSLOPT_NO_PARTIALCHAIN bit is toggled between transfers. This can cause the OpenSSL store flags to remain in an inconsistent state, leading to a policy bypass.
Impact Assessment
To successfully exploit this vulnerability, all of the following conditions must be met:
| Condition # | Requirement | Status in EG Environment |
| 1 | Affected libcurl version (7.87.0 - 8.17.0) |
YES |
| 2 | Using OpenSSL Backend | YES |
| 3 | Using CURLSSLOPT_NO_PARTIALCHAIN Option |
NO |
| 4 | Toggling the option between transfers | NO |
| 5 | Reuse of handles | YES |
| 6 | CA cache enabled | YES |
Environment
VIP Enterprise Gateway
Release: 9.11.x
Resolution
Current Impact: NO IMPACT
Because VIP EG environment does not meet conditions #3 and #4, the vulnerability cannot be triggered. Furthermore, the curl maintainers have reported no known active exploits and maintain that the severity remains low.
No immediate emergency patching is required for this specific CVE, though standard lifecycle updates for curl will be done in the product at a later time.
Feedback
