15365 matches found
curl: heap-use-after-free in curl_easy_cleanup() called from callback
Summary: Curlclose lib/url.c:214 calls curlmultiremovehandledata-multi, data and ignores the return value. When curleasycleanup is invoked from within a write/read/progress/header callback, multi-incallback is TRUE, so curlmultiremovehandle lib/multi.c:818-819 returns CURLMRECURSIVEAPICALL withou...
curl: libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF
Summary: Several libcurl upload read callback paths invoke the application-provided CURLOPTREADFUNCTION without marking the easy handle as being inside a callback. As a result, recursive multi APIs that are correctly rejected from ordinary callbacks are accepted from these upload read callback...
curl: setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse
Summary: Curlsslconnconfigupdate overwrites conn-sslconfig.verifypeer when curleasysetoptCURLOPTSSLVERIFYPEER, ... is called, with no handshake-state guard — only ifdata-conn. Since setopt is documented as callable from callbacks setopt.c:2930, an application can connect with verifypeer=0 accepti...
curl: CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer
Summary CURLSHOPTUNSHARE can free a shared SSL session cache while another thread is starting a normal HTTPS transfer with the same share handle. The failing transfer reaches the cache through curleasyperform, during the OpenSSL handshake. libcurl appears to try to reject this kind of lifetime...
curl: ssh_config_matches is dead code: unauthorized SSH key reuse
Summary libcurl's SSH connection-reuse guard sshconfigmatches — added for CVE-2022-27782 and reaffirmed by CVE-2023-27538 — is dead code in every release since 7.83.1. It compares sshc-rsa / sshc-rsapub between a new transfer "needle" and a pooled connection, but on both sides those pointers are...
curl: mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0
Summary When an application sets CURLOPTSSLVERIFYPEER=0 while keeping CURLOPTSSLVERIFYHOST=2 the default, the mbedTLS, wolfSSL, and rustls TLS backends silently skip the hostname-vs-certificate check. The OpenSSL, GnuTLS, and Schannel backends correctly preserve hostname checking under the same...
curl: UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback
Summary: The CVE-2026-9080 fix re-fetches the shentry after the socket callback inside mevshentryupdate, because curleasypause called from that callback re-enters mevassess and can free the entry. The same re-fetch was not applied at the caller, mevpollsetdiff, which dereferences its own entry...
curl: Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)
Summary libcurl's event interface lets the application's socket callback CURLMOPTSOCKETFUNCTION call curleasypause. CVE-2026-9080 was issued for a use-after-free that this triggers, and the fix added a post-callback re-fetch of the socket-hash entry in the UPDATE leg mevshentryupdate,...
curl: CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection
Summary The CURLOPTHAPROXYCLIENTIP option accepts an arbitrary string without validating that it is a valid IP address, and without stripping special characters such as \r\n CRLF or spaces. Because this value is embedded directly into the HAProxy PROXY protocol v1 header line, an attacker who can...
Node.js: Node --run POSIX positional argument escaping allows shell command injection
Summary Node.js node --run -- attempts to append positional arguments to a package script after escaping each argument for the shell. On POSIX platforms, the escaping logic handles single quotes incorrectly. A positional argument containing a single quote can break out of the intended quoted...
Nintendo: [Splatoon 3] Kick other players with NplnLogin message
A vulnerability was discovered that allowed players to kick other players from a Splatoon 3 game using an NplnLogin message...
curl: Vulnerability Report: Buffer Overflow in Path Sanitization
Vulnerability Report: Buffer Overflow in Path Sanitization Summary Multiple buffer overflow vulnerabilities exist in the src/tooldoswin.c file due to insufficient bounds checking and improper memory management in path sanitization functions. Affected Components - sanitizefilename line 180 -...
curl: Secure cookies leaked to HTTP origins through HTTPS forwarding proxy
Summary: When curl accesses an http:// origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between the proxy and the origin server, visible to the proxy operator and anyone on that network path. curl also reports CURLINFOSCHEME as...
curl: verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball
Summary: scripts/verify-release is documented as a way to independently verify a downloaded curl release tarball, but on curl-8.20.0 it extracts the tarball under verification and executes ./configure and ./scripts/dmaketgz before any trust decision is made. This creates a circular trust failure:...
curl: CVE-2026-12064: proto-default skips SSH verification
Summary When a user invokes curl with a schemeless URL and --proto-default sftp or scp, the tool layer guesses the URL is HTTP and skips setting SSH security options CURLOPTSSHHOSTPUBLICKEYSHA256, CURLOPTSSHKNOWNHOSTS. However libcurl's runtime correctly applies --proto-default and connects via...
curl: Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections
TL;DR A malicious HTTP origin can send Transfer-Encoding: chunked, chunked, gzip through a reusable HTTP proxy connection to bypass curl's "chunked must be last" guard, queue a forged HTTP response after its own response, and make curl parse that queued data as the response for a later request to...
curl: Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1
When curl send a request with Transfer-Encoding: chunked using HTTP/1.1, and follows a redirect to an HTTP/2 endpoint, the uploadchunky flag is not properly reset. As a result, the Transfer-Encoding: chunked header is sent in the subsequent request even when HTTP/2 is negotiated/used. This violat...
curl: CVE-2026-11856: cross-origin Digest auth state leak
Summary: This issue is the HTTP sibling to the previously disclosed RTSP Digest auth leak. When an application uses libcurl and reuses the same easy handle for sequential transfers the documented best practice, the Digest authentication state captured from the first origin is silently sent to the...
Revive Adserver: Reflected XSS in stats‑video.php via improperly encoded URL parameters
A reflected XSS vulnerability was discovered in the stats‑video.php script due to improper encoding of user input in the URL parameters...
curl: Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials
Summary When curl follows a redirect where the Location header contains a hostname with a trailing dot e.g., https://example.com./path, Curlpeerequal in peer.c:321-330 compares the original hostname example.com against the redirect target example.com. using curlstrequal, which does not normalize...
curl: curl-ipv4-percent-normalization-SSRF
Summary: six or fewer sentences describing the issue in your own human voice and optionally a short proof-of-concept script Affected version Which curl/libcurl version are you using to reproduce? On which platform? curl -V typically generates good output to include Steps To Reproduce: add details...
curl: CVE-2026-11564: Native CA trust persist
A vulnerability was discovered in the libcurl library where a native CA trust could persist after an easy handle switches to custom CA material. The vulnerability was found to affect builds of libcurl that enable the native CA trust feature. The issue stemmed from the fact that the library did no...
curl: CVE-2026-11586: WS Auto-PONG memory exhaustion
Summary: TL;DR: a remote WebSocket peer can make default curl/libcurl grow memory until timeout or OOM by sending legal PING frames while refusing to read the client's automatic PONGs. curl automatically replies to each received WebSocket PING with a PONG unless CURLWSNOAUTOPONG is set. In...
curl: SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal
Summary: libcurl's SSH/SFTP connection reuse logic no longer binds a pooled SSH connection to the SSH key identity requested by the new transfer. After sshconfigmatches was removed, urlmatchprotoconfig again has no SSH-specific check for CURLOPTSSHPUBLICKEYFILE or CURLOPTSSHPRIVATEKEYFILE. An...
curl: SOCKS5 no-auth accepted despite username/password-only authentication
Summary: curl/libcurl appears to allow unauthenticated SOCKS5 negotiation even when the caller explicitly configures username/password-only SOCKS5 authentication. With --socks5-basic and SOCKS5 credentials set, curl still advertises both SOCKS5 method 0x00 no authentication and 0x02...
curl: libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect — RC=0, curl 8
Summary curl's HTTP/1.x response header parser splits header lines using a single memchrbuf, '\n', blen call lib/http.c:4457, with no awareness of whether the current position is inside a quoted-string value. A server response containing any header field whose value embeds a raw LF byte \x0a caus...
curl: GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding)
Summary This report describes a variant of the publicly disclosed curl vulnerability CVE-2020-8286 OCSP stapling verification bypass, found in the GnuTLS TLS backend lib/vtls/gtls.c. The original CVE affected the NSS backend; this variant reproduces the same logical class of defect — accepting...
Revive Adserver: XML‑RPC login leak exposes valid session ID enabling unauthorized API access
Vulnerability description not provided...
curl: CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop
Summary: curl's QUIC UDP receive helper ignores zero-length UDP datagrams before counting them against the per-call packet budget. On Linux, recvmmsgpackets loops while pkts maxpkts, but if!mmsgi.msglen continue; runs before pkts is incremented. The recvmsgpackets backend has the same no-progress...
Revive Adserver: CSRF in zone‑include.php allows unauthorized banner and campaign linking
The zone-include.php script in Revive Adserver 6.0.7 was vulnerable to a CSRF attack. Linking and unlinking banners or campaigns to zones could be triggered via crafted GET or POST requests without any verification of the CSRF token, allowing an attacker to perform these actions on behalf of an...
Revive Adserver: PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting
Vulnerability description not provided...
Revive Adserver: Stored XSS in maintenance tools via unescaped entity names
A stored XSS vulnerability was discovered in the maintenance tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected in the maintenance-acl-check.php and maintenance-banners-check.php files...
curl: OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl
Summary curl's OpenSSL backend can accept a new TLS 1.2 HTTPS connection after the server certificate has expired if the connection resumes a previously cached TLS session. A full handshake made at the same time with the same certificate fails with CURLEPEERFAILEDVERIFICATION, but the resumed...
Node.js: Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions
Summary The March 2026 security release patched CVE-2026-21637 by wrapping SNICallback, ALPNCallback, and pskCallback invocations in try/catch blocks inside lib/internal/tls/wrap.js. That fix is present in v26.3.0. However, two other TLS callback paths in the same file were left unprotected: 1...
Revive Adserver: PHP code injection in delivery-limitation `logical` validation bypass
A vulnerability in the delivery-limitation logical validation was reported. The vulnerability allowed bypassing the fix for CVE-2026-34916 by sending a disallowed but otherwise valid plugin identifier as type, or using the ox.setChannelTargeting XML-RPC API method...
Revive Adserver: Reflected XSS via unsanitised refresh parameter in zone invocation tag
A missing sanitization of user input in the zone-include.php script of Revive Adserver 6.0.7 and earlier was reported. This vulnerability allowed a low-privileged user to perform reflected XSS attacks by exploiting the refresh parameter of the iFrame invocation tag...
curl: DNS domain search list followed for extant domain missing A or AAAA records
Summary: Curl calls getaddrinfo to resolve a domain's addresses, however glibc will continue though the domain search list to find data even if it gets a NODATA response. When using AFUNSPEC in the aihints, this search will stop at the first domain with either an A or AAAA record, however when...
Revive Adserver: Missing ownership validation allows cross‑manager tracker–campaign linking
A vulnerability was reported in Revive Adserver version 6.0.7 and earlier that allowed a low-privileged user to link their trackers to campaigns owned by other managers on the same instance. This was due to a lack of proper ownership validation in the tracker-campaigns.php script, which handled t...
curl: PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary
Summary After a Digest-authenticated HTTP proxy transfer, changing only CURLOPTPREPROXY on the same libcurl easy handle does not clear stale proxy Digest/auth state. If the new SOCKS pre-proxy resolves the same HTTP proxy hostname to a different proxy endpoint, the second proxy receives a...
curl: RTSP Digest auth state leaks across origins on reused libcurl easy handle
Summary When a reused libcurl easy handle first authenticates to one RTSP origin with Digest authentication and is then switched to a different RTSP origin, libcurl can send the old origin's Digest authentication state to the new origin. The second RTSP server does not need to send a...
curl: TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix
Summary TFTP uploads ignore the configured resume offset. When a caller runs curl -C N -T file tftp://... or uses libcurl with CURLOPTUPLOAD and CURLOPTRESUMEFROM, curl should skip the first N bytes of the local source before uploading. Instead, the TFTP code sends the complete local file from by...
PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection
The fix for CVE-2022-35406 1541301 stops Burp from following a redirect when the response Content-Type/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text/plain response can smuggle the token via a...
curl: libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope
Summary: libcurl 8.20.0 ignores the server-declared HTTP Digest domain protection space for origin authentication and reuses stored Digest state too broadly on the same easy handle. After a successful Digest-authenticated request, a later request on the same easy handle can receive a preemptive...
curl: heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform
Calling curleasysetoptcurl, CURLOPTREFERER, ... to replace or clear a previously-set referer after curleasyperform frees the old string via Curlsetstropt lib/setopt.c:87 but leaves data-state.referer.ptr pointing at the freed heap region. curleasygetinfoCURLINFOREFERER and curleasyduphandle then...
curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy
Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...
curl: SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master
Summary: Current master reintroduces a STARTTLS connection-reuse bug in SMTP. After commit 91dcf4e610 url: urlmatchdestination fix, curl/libcurl can reuse an already-established clear-text smtp:// session for a later logical request that explicitly requires TLS via --ssl-reqd or CURLOPTUSESSL =...
curl: Low priority HSTS bypass in curl_easy_duphandle()
Summary: curleasyduphandle creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent's lifetime. This means the client using a cloned handle may...
curl: Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)
Summary: When an HTTP/1.x proxy returns a 407 with no Content-Length and no chunked transfer-encoding, lib/cf-h1-proxy.c singleheader sets ts-keepon = KEEPONDONE but never sets ts-closeconnection = TRUE. Because ts-closeconnection and conn-bits.close both stay false, the CONNECT tunnel state...
curl: curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite
Vulnerability Report: curl External-Controlled Filename in --url @file Leads to Arbitrary File Overwrite 1. Product Overview curl is a widely used command-line tool and library libcurl for transferring data with URL syntax across multiple protocols such as HTTP, HTTPS, and FTP. It is preinstalled...
curl: CURLOPT_COOKIE leaked to cross-origin redirect target — CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path
Summary: httpcookies at lib/http.c:2532-2534 appends the value of CURLOPTCOOKIE the cookie supplied via -b to outgoing Cookie: headers without invoking Curlauthallowedtohost. As a result, when CURLOPTFOLLOWLOCATION is enabled and the initial origin issues a cross-origin redirect open redirector,...