Curl, when configured to use the Certificate Status Request TLS extension for OCSP stapling, mis‑classifies all received OCSP responses as valid. This flaw means that a revoked or otherwise invalid server certificate can appear acceptable, enabling an attacker to impersonate the server and intercept or tamper with encrypted traffic (inferred). The vulnerability is a clear bypass of certificate validation that compromises the integrity of TLS connections.

The likely affected systems are curl builds that rely on Apple’s SecTrust framework for OCSP stapling (inferred). Any curl version running on Apple platforms (macOS or iOS) that employs SecTrust to verify stapled responses is vulnerable, regardless of the specific release number. No specific version range is listed, so all releases capable of this logic are at risk.

The CVSS score of 5.3 indicates moderate severity, and the EPSS value of less than 1 % suggests exploitation is presently considered low probability. The vulnerability is not included in the CISA KEV catalog. The likely attack vector is an attacker controlling the OCSP responder or injecting a forged OCSP response that curl accepts (inferred). If successful, the attacker could conduct a man‑in‑the‑middle attack and gain confidentiality or integrity of the TLS session. Although the exploitation chance is small, the potential impact is significant for environments that rely on strict TLS verification.