Libcurl
by Curl
Source repositories
CVEs (87)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-3143 | 0.01 | — | 0.16 | Apr 24, 2015 | cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. | |||
| CVE-2014-8150 | 0.01 | — | 0.07 | Jan 15, 2015 | CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. | |||
| CVE-2014-3613 | 0.01 | — | 0.07 | Nov 18, 2014 | cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. | |||
| CVE-2026-1965 | 0.00 | — | 0.00 | Mar 11, 2026 | libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a… | |||
| CVE-2025-15079 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | |||
| CVE-2025-14819 | 0.00 | — | 0.01 | Jan 8, 2026 | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.… | |||
| CVE-2025-13034 | 0.00 | — | 0.00 | Jan 8, 2026 | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without… | |||
| CVE-2025-5399 | 0.00 | — | 0.01 | Jun 7, 2025 | Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This… | |||
| CVE-2025-5025 | 0.00 | — | 0.00 | May 28, 2025 | libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that… | |||
| CVE-2025-4947 | 0.00 | — | 0.00 | May 28, 2025 | libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. | |||
| CVE-2025-0665 | 0.00 | — | 0.01 | Feb 5, 2025 | libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. | |||
| CVE-2024-7264 | 0.00 | — | 0.16 | Jul 31, 2024 | libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer… | |||
| CVE-2024-6874 | 0.00 | — | 0.01 | Jul 24, 2024 | libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN… | |||
| CVE-2024-2466 | 0.00 | — | 0.01 | Mar 27, 2024 | libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely… | |||
| CVE-2024-2379 | 0.00 | — | 0.02 | Mar 27, 2024 | libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. | |||
| CVE-2024-2398 | 0.00 | — | 0.36 | Mar 27, 2024 | When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated… | |||
| CVE-2023-27538 | 0.00 | — | 0.01 | Mar 30, 2023 | An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse… | |||
| CVE-2023-27537 | 0.00 | — | 0.02 | Mar 30, 2023 | A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing… | |||
| CVE-2023-27535 | 0.00 | — | 0.02 | Mar 30, 2023 | An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current… | |||
| CVE-2023-27536 | 0.00 | — | 0.02 | Mar 30, 2023 | An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability… |
- CVE-2015-3143Apr 24, 2015risk 0.01cvss —epss 0.16
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
- CVE-2014-8150Jan 15, 2015risk 0.01cvss —epss 0.07
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
- CVE-2014-3613Nov 18, 2014risk 0.01cvss —epss 0.07
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
- CVE-2026-1965Mar 11, 2026risk 0.00cvss —epss 0.00
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a…
- CVE-2025-15079Jan 8, 2026risk 0.00cvss —epss 0.00
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
- CVE-2025-14819Jan 8, 2026risk 0.00cvss —epss 0.01
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.…
- CVE-2025-13034Jan 8, 2026risk 0.00cvss —epss 0.00
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without…
- CVE-2025-5399Jun 7, 2025risk 0.00cvss —epss 0.01
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This…
- CVE-2025-5025May 28, 2025risk 0.00cvss —epss 0.00
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that…
- CVE-2025-4947May 28, 2025risk 0.00cvss —epss 0.00
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
- CVE-2025-0665Feb 5, 2025risk 0.00cvss —epss 0.01
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
- CVE-2024-7264Jul 31, 2024risk 0.00cvss —epss 0.16
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer…
- CVE-2024-6874Jul 24, 2024risk 0.00cvss —epss 0.01
libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN…
- CVE-2024-2466Mar 27, 2024risk 0.00cvss —epss 0.01
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely…
- CVE-2024-2379Mar 27, 2024risk 0.00cvss —epss 0.02
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
- CVE-2024-2398Mar 27, 2024risk 0.00cvss —epss 0.36
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated…
- CVE-2023-27538Mar 30, 2023risk 0.00cvss —epss 0.01
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse…
- CVE-2023-27537Mar 30, 2023risk 0.00cvss —epss 0.02
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing…
- CVE-2023-27535Mar 30, 2023risk 0.00cvss —epss 0.02
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current…
- CVE-2023-27536Mar 30, 2023risk 0.00cvss —epss 0.02
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability…
Page 3 of 5