VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 31, 2013· Updated Apr 29, 2026

CVE-2013-2174

CVE-2013-2174

Description

Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.

Affected products

169
  • Haxx/Curl81 versions
    cpe:2.3:a:haxx:curl:7.10:*:*:*:*:*:*:*+ 80 more
    • cpe:2.3:a:haxx:curl:7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.9.8:*:*:*:*:*:*:*
  • Haxx/Libcurl81 versions
    cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*+ 80 more
    • cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.9.8:*:*:*:*:*:*:*
  • Canonical/Ubuntu Linux4 versions
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*+ 3 more
    • cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE
    cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
  • Red Hat/Enterprise Linux2 versions
    cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
    • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Patches

1
192c4f788d48
https://github.com/bagder/curlvia nvd-ref
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.