1312215 matches found
curl: CVE-2026-8925: SASL double-free
Hi all, We found a double-free in the GSASL authentication path — Curlauthgsaslissupported frees gsasl-ctx on a failed gsaslclientstart but never nulls the pointer, and then Curlauthgsaslcleanup frees it again unconditionally at connection teardown. The bug lives in two spots...
curl: CVE-2026-8926: password leak with netrc and user in URL
Hey all, Before the following report, I just want to point to a comment from our scanner, where it seems it was already picked up but it was dismissed and the PR was closed later by another commit - https://github.com/curl/curl/pull/20932issuecomment-4072903895 Nonetheless, it appears this issue...
curl: HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session
Summary: libcurl can reuse an already mTLS-authenticated HTTPS proxy TLS connection for a different easy handle even when that second handle does not have the proxy private key required to establish the session itself. The issue happens because the HTTPS proxy connection reuse identity does not...
curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds
Hi all, CURLOPTPROXYCAINFOBLOB introduced 7.77.0 never sets proxyssl.customcablob. On USEAPPLESECTRUST / CURLCANATIVE builds this causes curl to silently fall back to the system keychain for proxy TLS verification, nullifying the caller's blob-only trust policy. --- Root cause lib/setopt.c handle...
curl: libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely
Hi all, The libssh backend in lib/vssh/libssh.c ignores CURLOPTTIMEOUT / --max-time during SFTP subsystem negotiation. A server that completes SSH authentication and then stalls before answering the SSHFXPINIT packet will pin the curl process indefinitely — no timeout fires, no error is returned,...
curl: Schannel custom-CA path skips Extended Key Usage enforcement
Hi all, We believe the Schannel custom-CA verification path in lib/vtls/schannelverify.c may skip Extended Key Usage enforcement. In particular, a certificate that chains to the trusted custom CA but contains only id-kp-clientAuth, rather than id-kp-serverAuth, may pass peer verification on Windo...
curl: HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB
Hi all, When a libcurl application's CURLOPTWRITEFUNCTION returns CURLWRITEFUNCPAUSE, libcurl routes subsequent incoming body data through cw-pause lib/cw-pause.c. The bufq inside cw-pause is initialised with BUFQOPTSOFTLIMIT and a chunk size of 16 KiB lib/cw-pause.c:51-52, which causes bufq to...
curl: rustls backend silently ignores CURLOPT_CRLFILE when native CA store is active
Hi all, When the rustls backend is configured to use the OS native CA store --ca-native / CURLSSLOPTNATIVECA, any CRL file supplied via --crlfile / CURLOPTCRLFILE is silently ignored. The option is accepted — CURLEOK from curleasysetopt, exit 0 from the command line — and revoked certificates pas...
curl: Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match
Hi all, Sorry to ruin anybody's day, but we've discovered another issue when it comes to dots. We've found a TLS certificate verification bypass that lets a trailing-dot IPv4 URL -- https://127.0.0.1./ -- pass peer authentication against a wildcard DNS SAN certificate such as DNS:.0.0.1. The IP...
Mozilla: Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column
The Taskcluster web-server's OAuth2 token-exchange handler did not consume authorization codes and did not enforce the authorization-code expiry. A leaked authorization code could be replayed to mint additional bridge access tokens for the original user, past the 10-minute window required by the...
Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check
Vulnerability description not provided...
curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0
The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...
curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c)
A malicious HTTPS-on-HTTP/2 proxy can grow a libcurl client's resident set without bound during the CONNECT phase by streaming 1xx informational responses. The CVE-2023-38039 cap MAXHTTPRESPHEADERSIZE, 300 KiB, enforced through Curlbumpheadersize is not applied on the HTTP/2 proxy path. The HTTP/...
curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115
Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...
curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator
Hi all, The recent creds: hold credentials refactor — commit 8f71d0fde5 2026-05-11 https://github.com/curl/curl/commit/8f71d0fde5 — introduced a credential-leak regression on HTTPS→HTTP same-port redirects. -u user:pass and --oauth2-bearer both end up in cleartext after a 302 from https://h:N/ to...
curl: CURLOPT_HSTS_CTRL disables shared HSTS without share guard — use-after-free and double-free
Hi all, CURLOPTHSTSCTRL set to a value without CURLHSTSENABLE unconditionally frees the easy's HSTS object — even when that object is shared via a CURLSH. The result is a use-after-free and a double-free on the shared 48-byte struct hsts block when the share or any other linked easy is later torn...
curl: CVE-2026-8932: incomplete mTLS config matching in conn reuse
Hi all, This report and my multiple subsequent ones may come as a surprise, as I was assured that curl now had zero vulnerabilities in it. Nonetheless, I think the CVE-2022-27782 fix "TLS and SSH connection too eager reuse", commit f18af4f874 2022-05-09, "tls: check more TLS details for connectio...
curl: CVE-2026-8924: trailing dot domain super cookie
Summary: A PSL-enabled curl build rejects a canonical public suffix cookie such as Domain=co.uk, but accepts the trailing-dot variant Domain=co.uk. when the request host also uses a trailing dot. In the reproduced case, a response from foo.co.uk. sets Set-Cookie: trail=1; Domain=co.uk.; Path=/, a...
curl: Kerberos/SPNEGO Connection Reuse Vulnerability
Kerberos/SPNEGO Connection Reuse Vulnerability in curl Summary curl reuses HTTP connections across different users without checking Kerberos state. User B's request can inherit User A's GSS security context, allowing authentication bypass. Affected Versions All curl versions with Kerberos support...
Khan Academy: 1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation
A vulnerability was discovered in the Khan Academy platform that allowed an attacker to achieve full account takeover of any user. The vulnerability was caused by an unescaped dot flaw in the regular expression used to validate redirect URLs. This allowed the attacker to register a malicious doma...