rpm package
suse/curl&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3784 | Med | 6.5 | < 8.0.1-11.120.1 | 8.0.1-11.120.1 | Mar 11, 2026 | curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. | |
| CVE-2026-3783 | — | < 8.0.1-11.120.1 | 8.0.1-11.120.1 | Mar 11, 2026 | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .ne | ||
| CVE-2026-1965 | — | < 8.0.1-11.120.1 | 8.0.1-11.120.1 | Mar 11, 2026 | libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connectio | ||
| CVE-2025-15079 | — | < 8.0.1-11.111.1 | 8.0.1-11.111.1 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | ||
| CVE-2025-14819 | — | < 8.0.1-11.111.1 | 8.0.1-11.111.1 | Jan 8, 2026 | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. | ||
| CVE-2025-14524 | — | < 8.0.1-11.111.1 | 8.0.1-11.111.1 | Jan 8, 2026 | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | ||
| CVE-2025-14017 | — | < 8.0.1-11.114.1 | 8.0.1-11.114.1 | Jan 8, 2026 | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer c | ||
| CVE-2025-9086 | Hig | 7.5 | < 8.0.1-11.108.1 | 8.0.1-11.108.1 | Sep 12, 2025 | 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path | |
| CVE-2025-10148 | — | < 8.0.1-11.108.1 | 8.0.1-11.108.1 | Sep 12, 2025 | curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traf | ||
| CVE-2025-0725 | — | < 8.0.1-11.105.1 | 8.0.1-11.105.1 | Feb 5, 2025 | When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. | ||
| CVE-2025-0167 | — | < 8.0.1-11.105.1 | 8.0.1-11.105.1 | Feb 5, 2025 | When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both l | ||
| CVE-2024-11053 | — | < 8.0.1-11.101.1 | 8.0.1-11.101.1 | Dec 11, 2024 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect | ||
| CVE-2024-9681 | — | < 8.0.1-11.98.1 | 8.0.1-11.98.1 | Nov 6, 2024 | When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform | ||
| CVE-2023-27534 | — | < 8.0.1-11.117.1 | 8.0.1-11.117.1 | Mar 30, 2023 | A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home dire |
- affected < 8.0.1-11.120.1fixed 8.0.1-11.120.1
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
- CVE-2026-3783Mar 11, 2026affected < 8.0.1-11.120.1fixed 8.0.1-11.120.1
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .ne
- CVE-2026-1965Mar 11, 2026affected < 8.0.1-11.120.1fixed 8.0.1-11.120.1
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connectio
- CVE-2025-15079Jan 8, 2026affected < 8.0.1-11.111.1fixed 8.0.1-11.111.1
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
- CVE-2025-14819Jan 8, 2026affected < 8.0.1-11.111.1fixed 8.0.1-11.111.1
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.
- CVE-2025-14524Jan 8, 2026affected < 8.0.1-11.111.1fixed 8.0.1-11.111.1
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
- CVE-2025-14017Jan 8, 2026affected < 8.0.1-11.114.1fixed 8.0.1-11.114.1
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer c
- affected < 8.0.1-11.108.1fixed 8.0.1-11.108.1
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path
- CVE-2025-10148Sep 12, 2025affected < 8.0.1-11.108.1fixed 8.0.1-11.108.1
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traf
- CVE-2025-0725Feb 5, 2025affected < 8.0.1-11.105.1fixed 8.0.1-11.105.1
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
- CVE-2025-0167Feb 5, 2025affected < 8.0.1-11.105.1fixed 8.0.1-11.105.1
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both l
- CVE-2024-11053Dec 11, 2024affected < 8.0.1-11.101.1fixed 8.0.1-11.101.1
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect
- CVE-2024-9681Nov 6, 2024affected < 8.0.1-11.98.1fixed 8.0.1-11.98.1
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform
- CVE-2023-27534Mar 30, 2023affected < 8.0.1-11.117.1fixed 8.0.1-11.117.1
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home dire