Curl Security Vulnerabilities and Issues — Curl CVE List

Lucene search

HaxxCurl

8 matches found

CVE•added 2024/03/27 8:15 a.m.•394 views

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

8.6CVSS8.3AI score0.01962EPSS

CVE•added 2024/12/11 8:15 a.m.•356 views

CVE-2024-11053

When asked to both use a .netrc file for credentials and to follow HTTPredirects, curl could leak the password used for the first host to thefollowed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matchesthe redirect target hostname but the ...

3.4CVSS7AI score0.00361EPSS

CVE•added 2024/09/11 10:15 a.m.•329 views

CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than ...

6.5CVSS6.6AI score0.00202EPSS

CVE•added 2024/02/03 2:15 p.m.•318 views

CVE-2024-0853

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling ) test failed. A subsequent transfer tothe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

5.3CVSS5.3AI score0.00156EPSS

CVE•added 2024/03/27 8:15 a.m.•315 views

CVE-2024-2466

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate che...

6.5CVSS6.4AI score0.00149EPSS

CVE•added 2024/03/27 8:15 a.m.•312 views

CVE-2024-2004

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been e...

3.5CVSS6AI score0.0091EPSS

CVE•added 2024/11/06 8:15 a.m.•311 views

CVE-2024-9681

When curl is asked to use HSTS, the expiry time for a subdomain mightoverwrite a parent domain's cache entry, making it end sooner or later thanotherwise intended. This affects curl using applications that enable HSTS and use URLs with theinsecure HTTP:// scheme and perform transfers with hosts lik...

6.5CVSS6.7AI score0.00571EPSS

CVE•added 2024/03/27 8:15 a.m.•293 views

CVE-2024-2379

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

6.3CVSS7.1AI score0.00205EPSS