The vulnerability CVE-2025-0725 describes an integer overflow leading to a buffer overflow in libcurl when handling gzip decompression with zlib versions 1.2.0.3 or older. The analysis of the provided commit information, particularly the fixing commit 76f83f0db23846e254d940ec7, reveals the vulnerable code sections.

1. The function check_gzip_header was responsible for parsing the gzip header in the code path for older zlib versions. An integer overflow in this function during length calculations (e.g., for extra fields) could corrupt the determined header length (hlen). This function was entirely removed as part of the fix for the old zlib path.
2. The function gzip_do_write contained the logic to handle different zlib versions. For versions < 1.2.0.4, it used check_gzip_header. If hlen was corrupted by an integer overflow in check_gzip_header, gzip_do_write would use this incorrect hlen to calculate z->avail_in (the amount of data available for decompression). A miscalculated avail_in (e.g., a very large value due to integer wrap-around) would then be passed to inflate() (via inflate_stream), causing it to read out of bounds, resulting in a buffer overflow. The fixing commit removes the entire code path that supported these old zlib versions, including the check_gzip_header function and the specific logic within gzip_do_write that called it and subsequently set up the zlib stream for inflate_stream. This directly points to these two functions (or the specific removed parts of gzip_do_write) as containing the vulnerability.