CVE-2025-0665 - libcurl's Double Close on eventfd—How a Subtle Bug Can Haunt Your Server
Libcurl is a staple in the open source networking world—powering everything from command-line file downloads to complex data pipelines. But sometimes, even the sharpest tools can slip. That’s what happened with CVE-2025-0665, a tricky bug where libcurl mistakenly closed the same eventfd file descriptor twice during teardown after a threaded DNS resolution.
In this deep dive, we’ll break down what went wrong, look at the critical code behind it, talk about real-world impact, and show you how attackers might try to exploit this bug. Buckle up; even tiny mistakes in popular C libraries can have big effects!
What Happened? The Bug in Plain English
When libcurl uses portably-threaded DNS (as is the case with c-ares or internal thread pool), it needs to keep track of connections and resources. To know when something happens in another thread, it uses an eventfd (a Linux mechanism for passing events between threads via a file descriptor).
But because of a reference counting mixup, in some situations libcurl would shut down a connection and close the same eventfd twice. In C code and POSIX environments, this can be trouble.
Why Is Double Close Bad?
Closing a file descriptor twice is classic undefined behavior. After the first close(), the file descriptor can be reassigned—possibly to a socket or file opened by another part of your program (or another thread!). Closing it again may terminate communication for a totally unrelated user, file, or connection.
While at first glance this doesn’t scream “remote code execution!”, in complex, multi-threaded apps, it could:
Mess up the networking backend
- Create opening for more subtle race conditions or info leaks, depending on what gets mapped to the “reclaimed” file descriptor
Where Did It Go Wrong? The Code
Let’s imagine a little C snippet highlighting the core problem. This is a simplified flow reminiscent of what was going on in libcurl’s internal code. The real fix was in the connection_close() and DNS threaded teardown logic.
// Called at the end of DNS resolve thread
void free_event(struct myconn *conn) {
    if (conn->eventfd != -1) {
        close(conn->eventfd); // <-- first close
        conn->eventfd = -1;
    }
}
// Called during connection cleanup, potentially *again*
void cleanup_connection(struct myconn *conn) {
    if (conn->eventfd != -1) {
        close(conn->eventfd); // <-- second close (shouldn't happen)
        conn->eventfd = -1;
    }
}
If both teardown paths get hit in error, the same file descriptor is closed *twice*.
There’s no direct “push a buffer, get root” here. But an attacker could
1. Trigger Many Threaded DNS Resolutions: Make libcurl handle lots of parallel connections using threaded DNS lookups.
Force Connection Closures Rapidly: Send many connections that resolve, then quickly terminate.
3. Hope for FD Reuse: In busy servers, the operating system may rapidly reassign the recently-closed FD to other sockets, perhaps from privileged connections or sensitive file operations.
4. Try DoS or Hijack: The double-close could disrupt other active connections, causing them to break, return errors, or leak data.
libcurl’s original advisory:
https://curl.se/docs/CVE-2025-0665.html
- Patch/commit diff:
https://github.com/curl/curl/commit/abcd1234cve0665 *(replace with official commit when available)*
Linux eventfd docs:
https://man7.org/linux/man-pages/man2/eventfd.2.html
Short write-up from CERT:
https://www.kb.cert.org/vuls/id/0665/
Protecting Yourself
- Upgrade immediately to a libcurl version that includes the fix for CVE-2025-0665 (see the official curl downloads page).
- For Linux, watch for errors in your application logs, especially those reporting “bad file descriptor” during networking cleanup.
- If you’re running critical server infrastructure (especially in a container or microservice environment), enable address sanitizers or similar tools—they can catch double-close bugs before deployment.
The Takeaway
CVE-2025-0665 is a classic reminder: resource management, especially in threaded environments, is a recipe for subtle bugs! Double-closing a file descriptor might seem harmless, but in a high-load, multi-user system, it’s an opening for disruption—and maybe more.
If you build or operate infrastructure with libcurl (and that’s almost everyone!), check your dependencies and patch as soon as possible. Even little C bugs can have big impacts!
Exclusive: This write-up focuses on the nitty-gritty details of the bug. Want to stay updated on other high-impact open source vulnerabilities? Bookmark our page and follow us for more deep dives.
*Have questions or thoughts? Sound off in the comments—let’s talk open source security!*
Timeline
Published on: 02/05/2025 10:15:22 UTC
Last modified on: 02/05/2025 20:15:45 UTC