curl: heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform

Calling curleasysetoptcurl, CURLOPTREFERER, ... to replace or clear a previously-set referer after curleasyperform frees the old string via Curlsetstropt lib/setopt.c:87 but leaves data-state.referer.ptr pointing at the freed heap region. curleasygetinfoCURLINFOREFERER and curleasyduphandle then...

curl: Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree

Hi all, We've found an issue in lib/easy.c where curleasyduphandle shallow-copies set.priority, so the original and the duplicate end up holding two independent pointer-typed variables that both reference the same heap-allocated Curldataprionode chain. Freeing the chain from one side leaves the...

JLSEC-2025-35 This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the ...

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a functio...

AZL-31289 CVE-2023-38546 affecting package curl for versions less than 8.3.0-2

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a functio...

The vulnerability of the curl_easy_duphandle function in the libcurl library allows a hacker to create or re-record cookies.

The vulnerability of the curleasyduphandle function in the libcurl library is related to external control via a filename or file path. Exploiting this vulnerability allows a malicious actor to create or rewrite cookie files remotely...

SuSE 11.3 Security Update : curl (SAT Patch Number 10166)

This update fixes the following security issues : - URL request injection bnc911363 When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. CVE-2014-8150 If the given URL contains line feeds and carriage returns those will be sent alo...

CURL-CVE-2014-3707 duphandle read out of bounds

libcurl's function curleasyduphandle has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. When doing an HTTP POST transfer with libcurl, you can use the CURLOPTCOPYPOSTFIELDS option to specify a memory area holding the data to send to the...