Vulnerability
curl/libcurl: SSL CBC IV vulnerability
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulnerability has been identified (CVE-2011-3389 aka the "BEAST" attack) and is addressed by OpenSSL already as they have made a workaround to mitigate the problem. When doing so, they figured out that some servers did not work with the workaround and offered a way to disable it. The bit used to disable the workaround was then added to the generic `SSL_OP_ALL` bitmask that SSL clients may use to enable workarounds for better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask. While `SSL_OP_ALL` is documented to enable "rather harmless" workarounds, it does in this case effectively enable this security vulnerability again.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Mid-pack — moderate exploitation likelihood.
No VEX statements published for CVE-2011-3389. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
PoC available, low urgency