Lucene search
K

206 matches found

curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

WS Auto-PONG memory exhaustion

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

Native CA trust persist

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

proto-default skips SSH verification

When a user invokes curl using a schemeless URL combined with --proto-default sftp or scp, a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like...

6AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

cross-origin Digest auth state leak

Successfully using libcurl to do a transfer to a specific HTTP origin hostA with Digest authentication and then changing the origin to a different one hostB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Authorization: header field meant for hostA, to hostB...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

QUIC zero-length UDP datagrams busy-loop

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

HTTP/2 stream-dependency tree UAF

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPTSTREAMDEPENDS or CURLOPTSTREAMDEPENDSE, subsequently invokes curleasyreset, and finally terminates the handle with curleasycleanup. During this final cleanup phase, libcurl...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

sending old referer

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•7 views

SSH improper host validation

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

exposing HTTP/3 early data

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•13 views

UAF after pause in socket callback

Calling curleasypause within the event-based CURLMOPTSOCKETFUNCTION callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed...

5.7AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•7 views

stale proxy password leak

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

password leak with netrc and user in URL

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a username without a password, like https://[email protected]/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is n...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

env-set cross-proxy Digest auth state leak

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against proxyA using Digest auth, a subsequent transfer routed...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•16 views

incomplete mTLS config matching in conn reuse

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

SASL double-free

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

wrong reuse for different services

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•5 views

trailing dot domain super cookie

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•4 views

wrong STARTTLS connection reuse

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not...

5.9AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•15 views

cross-proxy Digest auth state leak

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.2AI score0.00471EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•9 views

OCSP stapling bypass with Apple SecTrust

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...

5.3CVSS5.2AI score0.00267EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•6 views

netrc credential leak with reused proxy connection

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances...

5.3CVSS5.2AI score0.00519EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•6 views

proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

5.9CVSS5.2AI score0.00639EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•14 views

stale custom cookie host causes cookie leak

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

7.5CVSS5.2AI score0.00291EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•7 views

wrong reuse of SMB connection

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

7.5CVSS5.2AI score0.00549EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•9 views

wrong reuse of HTTP Negotiate connection

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

6.5CVSS5.2AI score0.00414EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•13 views

connection reuse ignores TLS requirement

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text via IMAP, SMTP, or POP3, a subsequent request to that same host bypasses the TLS requirement and instead transm...

5.9CVSS5.2AI score0.00329EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•10 views

bad reuse of HTTP Negotiate connection

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

6.5CVSS7.2AI score0.00259EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•17 views

wrong proxy connection reuse with credentials

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection...

6.5CVSS7.2AI score0.00302EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•7 views

use after free in SMB connection reuse

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory...

7.5CVSS7.2AI score0.00715EPSS
Exploits2References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•13 views

token leak with redirect and netrc

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with eithe...

5.3CVSS7.6AI score0.00333EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•6 views

libssh key passphrase bypass without agent set

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent...

3.1CVSS5.8AI score0.00413EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•5 views

OpenSSL partial chain store policy bypass

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPTNOPARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcur...

5.3CVSS6.3AI score0.00679EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•6 views

libssh global known_hosts override

When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file...

5.3CVSS5.8AI score0.00457EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•7 views

broken TLS options for threaded LDAPS

When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...

6.3CVSS6.2AI score0.00106EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•14 views

bearer token leak on cross-protocol redirect

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...

5.3CVSS5.9AI score0.00611EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•6 views

No QUIC certificate pinning with GnuTLS

When using CURLOPTPINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper...

5.9CVSS6.2AI score0.00227EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2025/11/05 8:0 a.m.•7 views

missing SFTP host verification with wolfSSH

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more...

4.3CVSS5.1AI score0.00373EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/09/10 8:0 a.m.•7 views

Out of bounds read for cookie path

A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set 3. The same cookie name is set - but with only a slash as path path="/". Since this site is not...

7.5CVSS6.5AI score0.01301EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/09/10 8:0 a.m.•5 views

predictable WebSocket mask

curl's WebSocket code did not update the 32-bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

5.3CVSS7.2AI score0.00466EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2025/06/04 8:0 a.m.•8 views

WebSocket endless loop

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...

7.5CVSS6.9AI score0.01226EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/05/28 8:0 a.m.•10 views

No QUIC certificate pinning with wolfSSL

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

4.8CVSS7AI score0.00241EPSS
Exploits2References1Affected Software2
curl security advisories
curl security advisories
•added 2025/05/28 8:0 a.m.•6 views

QUIC certificate check skip with wolfSSL

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks...

6.5CVSS7.1AI score0.00236EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/02/05 8:0 a.m.•7 views

eventfd double close

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve...

7CVSS8AI score0.01166EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/02/05 8:0 a.m.•33 views

netrc and default credential leak

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare...

3.4CVSS6.8AI score0.00635EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/02/05 8:0 a.m.•9 views

gzip integer overflow

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...

7.3CVSS7.3AI score0.01168EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/12/11 8:0 a.m.•7 views

netrc and redirect credential leak

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but...

3.4CVSS6.8AI score0.01351EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/11/06 8:0 a.m.•6 views

HSTS subdomain overwrites parent cache entry

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

6.5CVSS6.9AI score0.0197EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/09/11 8:0 a.m.•52 views

OCSP stapling bypass with GnuTLS

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error tha...

6.5CVSS7.4AI score0.00729EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/07/31 8:0 a.m.•9 views

ASN.1 date parser overread

libcurl's ASN1 parser code has the GTime2str function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen getting performed on a pointer to a heap buffer area that i...

6.5CVSS6.8AI score0.16212EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/07/24 8:0 a.m.•9 views

freeing stack buffer in utf8asn1str

libcurl's ASN1 parser has this utf8asn1str function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free on a 4 byte local stack buffer. Most modern malloc implementations detect this error and immediately abort...

7.5CVSS7.8AI score0.04296EPSS
Exploits1References1Affected Software2
Total number of security vulnerabilities206