Vulnerability
curl/libcurl: not verifying certs for TLS to IP address / Secure Transport
When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature (whether it was signed by a trusted CA) and validity (whether the date was within the certificate's lifetime and it was not revoked) verification was still performed. This is a problem in libcurl built to use the Secure Transport backend. Secure Transport is the TLS library present and used on Mac OS X and iOS. Only users on Mac OS X or iOS can be affected by this, and only if libcurl was built to use the native TLS backend library. This problem was initially used as an example of the Apple SSL bug that hit [the news in late February 2014](https://www.imperialviolet.org/2014/02/22/applebug.html) but that was not correct.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Mid-pack — moderate exploitation likelihood.
No VEX statements published for CVE-2014-1263. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
No exploitation, limited impact or prevalence