CVE-2025-0665: 
cURL vulnerability analysis and mitigation

CVE-2025-0665 affects libcurl version 8.11.1, where the software would incorrectly close the same eventfd file descriptor twice during connection channel teardown after completing a threaded name resolution. This vulnerability was discovered on January 22, 2025, and was fixed with the release of curl 8.12.0 on February 5, 2025 (Curl Advisory).

The vulnerability occurs specifically when libcurl is built with the threaded resolver and eventfd feature, which is only used on 64-bit architectures. The issue stems from an #ifdef mistake where two close() calls were implemented when the communication was originally written to use socketpair(). Both close() calls typically execute within a few dozen instructions of each other. The vulnerability has been assigned CWE-1341: Multiple Releases of Same Resource or Handle and is rated as Low severity (Curl Advisory, Red Hat).

The double-close vulnerability can lead to unreliable behavior in libcurl and potential denial of service. However, the impact is somewhat mitigated as many users have noticed the unreliable behavior and either avoided eventfd or the vulnerable version. The close proximity of the two close() calls also limits an external party's ability to control which other file descriptors might be affected (Curl Advisory, Red Hat).

Several mitigation options are available, in order of preference: 1) Upgrade curl and libcurl to version 8.12.0, 2) Apply the patch to the existing version and rebuild, 3) Disable eventfd use in the build, or 4) Use the c-ares resolver backend. The vulnerability was fixed in commit ff5091aa9f73802e894b1cbdf (Curl Advisory).

There has been some technical discussion regarding whether this issue represents a C language-specific mistake. While the curl project maintains this is not a C-specific issue, some security researchers argue that higher-level languages would have prevented this through idiomatic APIs or type system enforcement (OSS Security).