curl: SOCKS5 no-auth accepted despite username/password-only authentication

Summary: curl/libcurl appears to allow unauthenticated SOCKS5 negotiation even when the caller explicitly configures username/password-only SOCKS5 authentication. With --socks5-basic and SOCKS5 credentials set, curl still advertises both SOCKS5 method 0x00 no authentication and 0x02...

JLSEC-2026-419 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's...

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers

BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c c ifstream-bodystarted / This is a trailer / H2BUGFinfofdatas, "h2 trailer: %.s: %.s", namelen, name, valuelen, value; result = Curldynaddf&stream-trailerrecvbuf, "%.s: %.s\r\n", namelen, name,...

curl: Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl

detail: - lib/setopt.c:1048-1051 - CURLOPTSOCKS5AUTH is stored into data-set.socks5auth - lib/socks.c:597-641 socks5req0init - fresh SOCKS5 handshake reads data-set.socks5auth, if BASIC is not allowed, it clears sx-proxyuser at 618-620, so username/password auth is not even offered -...

curl: HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT

Summary: curl fails to prioritize the Transfer-Encoding: chunked header over Content-Length in HTTP/1.1 proxy responses specifically 407/401 auth challenges, violating RFC 9112 Section 6.1. I have identified the root cause in cf-h1-proxy.c. In the response-handling loop around line 466, the code...

Out of bounds read for cookie path

A cookie is set using the secure keyword for https://target curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set. The same cookie name is set - but with just a slash as path path="/". Since this site is not secure,...

curl: A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes.

In lib/url.c, the detectproxy function uses a fixed-size buffer, proxyenv20, to construct proxy environment variable names e.g., httpproxy. However, the curl URL parser lib/urlapi.c allows protocol schemes up to 40 characters MAXSCHEMELEN. When a protocol scheme longer than 12 characters is used,...

CVE-2025-9086

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with just a slash as path path="/",. Since this site is not...

CVE-2025-9086

CVE-2025-9086 affects curl’s curl/libcurl component. Reports indicate an out-of-bounds read when handling a cookie path for a secure cookie, which can cause a crash or potentially allow memory-read conditions. The vulnerability is documented across multiple advisories and vendor pages, including ...

CVE-2025-9086

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with just a slash as path path="/",. Since this site is not...

SUSE CVE-2025-9086

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with just a slash as path path="/",. Since this site is not...

UBUNTU-CVE-2025-9086

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with just a slash as path path="/",. Since this site is not...

AZL-52426 CVE-2024-9681 affecting package mysql for versions less than 8.0.40-3

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

AZL-52414 CVE-2024-9681 affecting package mysql for versions less than 8.0.40-5

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

AZL-52402 CVE-2024-9681 affecting package cmake for versions less than 3.21.4-16

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

HSTS subdomain overwrites parent cache entry

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

OESA-2023-1960 curl security update

cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file...

UBUNTU-CVE-2023-46219

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use...

CVE-2022-35252

creationtimestamp| type| source ---|---|--- 2022-09-23 18:19:32+00:00| seen| https://t.me/cibsecurity/50340 2024-12-12 08:18:34+00:00| seen| https://daniel.haxx.se/blog/2024/12/12/a-twenty-five-years-old-curl-bug/...

Fedora 31 : php (2020-8e36afc743)

PHP version 7.3.21 06 Aug 2020 Apache: - Fixed bug php79030 Upgrade apache2handler's phpapachesapigetrequesttime to return usec. Herbert256 Core: - Fixed bug php79877 getimagesize function silently truncates after a null byte cmb - Fixed bug php79778 Assertion failure if dumping closure with...