Lucene search
K
CurlMost viewed

206 matches found

curl security advisories
curl security advisories
•added 2022/04/27 8:0 a.m.•70 views

Credential leak on redirect

curl follows HTTPS redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host...

5.7CVSS6.1AI score0.01595EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/09/11 8:0 a.m.•53 views

OCSP stapling bypass with GnuTLS

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error tha...

6.5CVSS7.4AI score0.00729EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2015/01/08 8:0 a.m.•46 views

URL request injection

When libcurl sends a request to a server via an HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those are sent along to the proxy too, which allows the program to for example send a separate HTTP request injected...

4.3CVSS7.4AI score0.0681EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2022/10/26 8:0 a.m.•35 views

HSTS bypass via IDN

curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL uses...

7.5CVSS7.1AI score0.01644EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2025/02/05 8:0 a.m.•34 views

netrc and default credential leak

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare...

3.4CVSS6.8AI score0.00635EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2016/05/18 8:0 a.m.•32 views

TLS certificate check bypass with mbedTLS/PolarSSL

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend. The documentation for mbedTLS and PolarSSL wrongly says that...

5.3CVSS6.1AI score0.06377EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/03/26 8:0 a.m.•31 views

IP address wildcard certificate validation

libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. RFC 2818 covers the requirements for matching Common Names CNs and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in th...

5.8CVSS6.2AI score0.04888EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/08/03 8:0 a.m.•26 views

Reusing connections with wrong client cert

libcurl did not consider client certificates when reusing TLS connections. libcurl supports reuse of established connections for subsequent requests. It does this by keeping a few previous connections "alive" in a connection pool so that a subsequent request that can use one of them instead of...

7.5CVSS6.5AI score0.14596EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•19 views

wrong proxy connection reuse with credentials

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection...

6.5CVSS7.2AI score0.00302EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•17 views

cross-proxy Digest auth state leak

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.2AI score0.00471EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•16 views

incomplete mTLS config matching in conn reuse

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS...

5.8AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•15 views

token leak with redirect and netrc

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with eithe...

5.3CVSS7.6AI score0.00333EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•15 views

bearer token leak on cross-protocol redirect

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...

5.3CVSS5.9AI score0.00611EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•14 views

connection reuse ignores TLS requirement

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text via IMAP, SMTP, or POP3, a subsequent request to that same host bypasses the TLS requirement and instead transm...

5.9CVSS5.2AI score0.00329EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•14 views

stale custom cookie host causes cookie leak

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

7.5CVSS5.2AI score0.00291EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2020/12/09 8:0 a.m.•14 views

FTP wildcard stack overflow

libcurl offers a wildcard matching functionality, which allows a callback set with CURLOPTCHUNKBGNFUNCTION to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns...

7.5CVSS6.9AI score0.09917EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2020/06/24 8:0 a.m.•14 views

curl overwrite local file with -J

curl can be tricked by a malicious server to overwrite a local file when using -J --remote-header-name and -i --include in the same command line. The command line tool offers the -J option that saves a remote file using the filename present in the Content-Disposition: response header. curl then...

7.8CVSS6.7AI score0.01236EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2000/10/13 8:0 a.m.•14 views

FTP Server Response Buffer Overflow

When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer...

10CVSS5.3AI score0.19247EPSS
Exploits1Affected Software2
curl security advisories
curl security advisories
•added 2026/06/24 8:0 a.m.•13 views

UAF after pause in socket callback

Calling curleasypause within the event-based CURLMOPTSOCKETFUNCTION callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed...

5.7AI score
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2023/05/17 8:0 a.m.•13 views

IDN wildcard match

curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN International Domain...

5.9CVSS6.4AI score0.0181EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•11 views

bad reuse of HTTP Negotiate connection

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

6.5CVSS7.2AI score0.00259EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2025/05/28 8:0 a.m.•11 views

No QUIC certificate pinning with wolfSSL

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

4.8CVSS7AI score0.00241EPSS
Exploits2References1Affected Software2
curl security advisories
curl security advisories
•added 2021/09/15 8:0 a.m.•11 views

Protocol downgrade required TLS bypassed

A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server --ssl-reqd on the command line or CURLOPTUSESSL set to CURLUSESSLCONTROL or CURLUSESSLALL with libcurl. This requirement could be bypassed if the server would return a properly crafted but...

7.5CVSS6.5AI score0.04224EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/09/15 8:0 a.m.•11 views

UAF and double free in MQTT sending

When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again...

9.1CVSS6.2AI score0.06216EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•11 views

Wrong content via Metalink not discarded

When curl is instructed to download content using the Metalink feature, the contents is verified against a hash provided in the Metalink XML file. The Metalink XML file points out to the client how to get the same content from a set of different URLs, potentially hosted by different servers and t...

6.5CVSS6AI score0.04313EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2016/05/30 8:0 a.m.•11 views

Windows DLL hijacking

libcurl would load Windows system DLLs in a manner that may make it vulnerable to a DLL hijacking aka binary planting attack in certain configurations. libcurl has a unified code base that builds and runs on a multitude of different versions of Windows. To make that possible, when libcurl is buil...

7.8CVSS7.6AI score0.00565EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/29 8:0 a.m.•11 views

sensitive HTTP server headers also sent to proxies

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPTHTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is sent to the prox...

5CVSS7.2AI score0.07538EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•10 views

wrong reuse of HTTP Negotiate connection

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

6.5CVSS5.2AI score0.00414EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/02/05 8:0 a.m.•10 views

gzip integer overflow

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...

7.3CVSS7.3AI score0.01168EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/07/31 8:0 a.m.•10 views

ASN.1 date parser overread

libcurl's ASN1 parser code has the GTime2str function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen getting performed on a pointer to a heap buffer area that i...

6.5CVSS6.8AI score0.16212EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•10 views

TELNET stack contents disclosure again

curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...

5.3CVSS6.5AI score0.04929EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2018/03/14 8:0 a.m.•10 views

RTSP RTP buffer over-read

curl can be tricked into copying data beyond end of its heap based buffer. When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be...

9.1CVSS7.2AI score0.09393EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2018/01/24 8:0 a.m.•10 views

HTTP authentication leak in redirects

curl might leak authentication data to third parties. When asked to send custom headers in its HTTP requests, curl sends that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the...

9.8CVSS6.9AI score0.08031EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/09/14 8:0 a.m.•10 views

curl escape and unescape integer overflows

The four libcurl functions curlescape, curleasyescape, curlunescape and curleasyunescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The functions having names without "easy" being the deprecated versions of the others...

9.8CVSS6.8AI score0.11737EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/06/17 8:0 a.m.•10 views

lingering HTTP credentials in connection reuse

libcurl can wrongly send HTTP credentials when reusing connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPTUSERPWD for example. Name and password. Like all other libcurl options the credentials are sticky and are...

5CVSS8AI score0.0821EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2005/02/21 8:0 a.m.•10 views

Authentication Buffer Overflows

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation and for an FTP server to overflow the client during krb4 negotiation. The announcement of this flaw w...

8.8CVSS5.5AI score0.05732EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•9 views

OCSP stapling bypass with Apple SecTrust

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...

5.3CVSS5.2AI score0.00267EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2025/06/04 8:0 a.m.•9 views

WebSocket endless loop

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...

7.5CVSS6.9AI score0.01226EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/07/24 8:0 a.m.•9 views

freeing stack buffer in utf8asn1str

libcurl's ASN1 parser has this utf8asn1str function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free on a 4 byte local stack buffer. Most modern malloc implementations detect this error and immediately abort...

7.5CVSS7.8AI score0.04296EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/10/11 8:0 a.m.•9 views

SOCKS5 heap buffer overflow

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname ...

9.8CVSS7.4AI score0.78483EPSS
Exploits6References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•9 views

SSH connection too eager reuse still

libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were...

7.7CVSS6.6AI score0.01162EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•9 views

CURLOPT_SSLCERT mix-up with Secure Transport

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command line tool. When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...

7.5CVSS6.2AI score0.0982EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•9 views

Metalink download sends credentials

When curl is instructed to get content using the Metalink feature, and a user name and password are used to download the Metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl downloads or tries to download the contents from. Often contrar...

5.3CVSS6.5AI score0.01843EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/03/31 8:0 a.m.•9 views

TLS 1.3 session ticket proxy host mix-up

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote serve...

4.3CVSS6.8AI score0.03141EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2020/06/24 8:0 a.m.•9 views

Partial password leak over DNS on HTTP redirect

libcurl can be tricked to prepend a part of the password to the hostname before it resolves it, potentially leaking the partial password over the network and to the DNS servers. libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP...

7.5CVSS7.2AI score0.03427EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2019/06/24 8:0 a.m.•9 views

Windows OpenSSL engine code injection

A non-privileged user or program can put code and a config file in a known non-privileged path under C:/usr/local/ that makes curl automatically run the code as an OpenSSL "engine" on invocation. If that curl is invoked by a privileged user it can do anything it wants. This flaw exists in the...

7.8CVSS6.2AI score0.00717EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2012/01/24 8:0 a.m.•9 views

SSL CBC IV vulnerability

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulnerability has been identified CVE-2011-3389 aka the "BEAST" attack and is addressed by OpenSSL already as they have made a workaround to mitigate the problem. When doing so, they figured out...

4.3CVSS6.8AI score0.73327EPSS
Exploits4Affected Software2
curl security advisories
curl security advisories
•added 2026/04/29 8:0 a.m.•8 views

wrong reuse of SMB connection

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

7.5CVSS5.2AI score0.00549EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2026/03/11 8:0 a.m.•8 views

use after free in SMB connection reuse

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory...

7.5CVSS7.2AI score0.00715EPSS
Exploits2References1Affected Software2
curl security advisories
curl security advisories
•added 2026/01/07 8:0 a.m.•8 views

broken TLS options for threaded LDAPS

When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...

6.3CVSS6.2AI score0.00106EPSS
Exploits0Affected Software2
Total number of security vulnerabilities206