Curl
by Curl
Source repositories
CVEs (157)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8624 | Med | 0.35 | 5.3 | 0.06 | Jul 31, 2018 | curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser… | ||
| CVE-2017-9502 | Med | 0.35 | 5.3 | 0.03 | Jun 14, 2017 | In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based… | ||
| CVE-2016-3739 | Med | 0.35 | 5.3 | 0.06 | May 20, 2016 | The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof… | ||
| CVE-2016-0754 | Med | 0.35 | 5.3 | 0.01 | Jan 29, 2016 | cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. | ||
| CVE-2023-46219 | Med | 0.34 | 5.3 | 0.01 | Dec 12, 2023 | When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. | ||
| CVE-2026-6253 | Med | 0.31 | 5.9 | 0.01 | May 13, 2026 | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no… | ||
| CVE-2026-4873 | Med | 0.31 | 5.9 | 0.00 | May 13, 2026 | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS… | ||
| CVE-2021-22947 | Med | 0.31 | 5.9 | 0.03 | Sep 29, 2021 | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached… | ||
| CVE-2016-8625 | Med | 0.28 | 5.3 | 0.04 | Aug 1, 2018 | curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. | ||
| CVE-2016-8619 | Med | 0.28 | 5.3 | 0.05 | Aug 1, 2018 | The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. | ||
| CVE-2017-2629 | Med | 0.28 | 4.3 | 0.01 | Jul 27, 2018 | curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none… | ||
| CVE-2026-7168 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`… | ||
| CVE-2026-7009 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine. | ||
| CVE-2026-6429 | Med | 0.27 | 5.3 | 0.01 | May 13, 2026 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. | ||
| CVE-2021-22925 | Med | 0.27 | 5.3 | 0.05 | Aug 5, 2021 | curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized… | ||
| CVE-2023-38546 | Low | 0.24 | 3.7 | 0.06 | Oct 18, 2023 | This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. … | ||
| CVE-2020-8284 | Low | 0.24 | 3.7 | 0.04 | Dec 14, 2020 | A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port… | ||
| CVE-2016-8623 | Low | 0.22 | 3.3 | 0.03 | Aug 1, 2018 | A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. | ||
| CVE-2025-10966 | Med | 0.21 | 4.3 | 0.00 | Nov 7, 2025 | curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. | ||
| CVE-2016-8617 | Low | 0.21 | 3.3 | 0.01 | Jul 31, 2018 | The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. |
- risk 0.35cvss 5.3epss 0.06
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser…
- risk 0.35cvss 5.3epss 0.03
In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based…
- risk 0.35cvss 5.3epss 0.06
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof…
- risk 0.35cvss 5.3epss 0.01
cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
- risk 0.34cvss 5.3epss 0.01
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
- risk 0.31cvss 5.9epss 0.01
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no…
- risk 0.31cvss 5.9epss 0.00
A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS…
- risk 0.31cvss 5.9epss 0.03
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached…
- risk 0.28cvss 5.3epss 0.04
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
- risk 0.28cvss 5.3epss 0.05
The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
- risk 0.28cvss 4.3epss 0.01
curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none…
- risk 0.27cvss 5.3epss 0.00
Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`…
- risk 0.27cvss 5.3epss 0.00
When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
- risk 0.27cvss 5.3epss 0.01
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
- risk 0.27cvss 5.3epss 0.05
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized…
- risk 0.24cvss 3.7epss 0.06
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. …
- risk 0.24cvss 3.7epss 0.04
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port…
- risk 0.22cvss 3.3epss 0.03
A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
- risk 0.21cvss 4.3epss 0.00
curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.
- risk 0.21cvss 3.3epss 0.01
The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
Page 3 of 8