Amazon Linux 2 Security Advisory: ALAS2-2025-3088
Advisory Released Date: 2025-12-08
Advisory Updated Date: 2025-12-08
Severity:
Medium
Issue Overview:
wcurl path traversal with percent-encoded slashes
URLs containing percent-encoded slashes (/ or \) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. (CVE-2025-11563)
Affected Packages:
curl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update curl or yum update --advisory ALAS2-2025-3088 to update your system.
New Packages:
aarch64:
curl-8.3.0-1.amzn2.0.11.aarch64
libcurl-8.3.0-1.amzn2.0.11.aarch64
libcurl-devel-8.3.0-1.amzn2.0.11.aarch64
curl-debuginfo-8.3.0-1.amzn2.0.11.aarch64
i686:
curl-8.3.0-1.amzn2.0.11.i686
libcurl-8.3.0-1.amzn2.0.11.i686
libcurl-devel-8.3.0-1.amzn2.0.11.i686
curl-debuginfo-8.3.0-1.amzn2.0.11.i686
src:
curl-8.3.0-1.amzn2.0.11.src
x86_64:
curl-8.3.0-1.amzn2.0.11.x86_64
libcurl-8.3.0-1.amzn2.0.11.x86_64
libcurl-devel-8.3.0-1.amzn2.0.11.x86_64
curl-debuginfo-8.3.0-1.amzn2.0.11.x86_64