Curl
by Curl
Source repositories
CVEs (157)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11563 | 0.00 | — | 0.00 | Feb 25, 2026 | URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. | |||
| CVE-2025-15224 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | |||
| CVE-2025-15079 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | |||
| CVE-2025-14819 | 0.00 | — | 0.01 | Jan 8, 2026 | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.… | |||
| CVE-2025-14524 | 0.00 | — | 0.01 | Jan 8, 2026 | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | |||
| CVE-2025-14017 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer… | |||
| CVE-2025-13034 | 0.00 | — | 0.00 | Jan 8, 2026 | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without… | |||
| CVE-2025-10148 | 0.00 | — | 0.00 | Sep 12, 2025 | curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce… | |||
| CVE-2025-5399 | 0.00 | — | 0.01 | Jun 7, 2025 | Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This… | |||
| CVE-2025-5025 | 0.00 | — | 0.00 | May 28, 2025 | libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that… | |||
| CVE-2025-4947 | 0.00 | — | 0.00 | May 28, 2025 | libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. | |||
| CVE-2025-0725 | 0.00 | — | 0.01 | Feb 5, 2025 | When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. | |||
| CVE-2025-0665 | 0.00 | — | 0.01 | Feb 5, 2025 | libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. | |||
| CVE-2025-0167 | 0.00 | — | 0.01 | Feb 5, 2025 | When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both… | |||
| CVE-2024-11053 | 0.00 | — | 0.01 | Dec 11, 2024 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the… | |||
| CVE-2024-9681 | 0.00 | — | 0.02 | Nov 6, 2024 | When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and… | |||
| CVE-2024-8096 | 0.00 | — | 0.01 | Sep 11, 2024 | When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status… | |||
| CVE-2024-7264 | 0.00 | — | 0.16 | Jul 31, 2024 | libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer… | |||
| CVE-2024-6874 | 0.00 | — | 0.01 | Jul 24, 2024 | libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN… | |||
| CVE-2024-6197 | 0.00 | — | 0.04 | Jul 24, 2024 | libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this… |
- CVE-2025-11563Feb 25, 2026risk 0.00cvss —epss 0.00
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
- CVE-2025-15224Jan 8, 2026risk 0.00cvss —epss 0.00
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
- CVE-2025-15079Jan 8, 2026risk 0.00cvss —epss 0.00
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
- CVE-2025-14819Jan 8, 2026risk 0.00cvss —epss 0.01
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.…
- CVE-2025-14524Jan 8, 2026risk 0.00cvss —epss 0.01
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
- CVE-2025-14017Jan 8, 2026risk 0.00cvss —epss 0.00
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer…
- CVE-2025-13034Jan 8, 2026risk 0.00cvss —epss 0.00
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without…
- CVE-2025-10148Sep 12, 2025risk 0.00cvss —epss 0.00
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce…
- CVE-2025-5399Jun 7, 2025risk 0.00cvss —epss 0.01
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This…
- CVE-2025-5025May 28, 2025risk 0.00cvss —epss 0.00
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that…
- CVE-2025-4947May 28, 2025risk 0.00cvss —epss 0.00
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
- CVE-2025-0725Feb 5, 2025risk 0.00cvss —epss 0.01
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
- CVE-2025-0665Feb 5, 2025risk 0.00cvss —epss 0.01
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
- CVE-2025-0167Feb 5, 2025risk 0.00cvss —epss 0.01
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both…
- CVE-2024-11053Dec 11, 2024risk 0.00cvss —epss 0.01
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the…
- CVE-2024-9681Nov 6, 2024risk 0.00cvss —epss 0.02
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and…
- CVE-2024-8096Sep 11, 2024risk 0.00cvss —epss 0.01
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status…
- CVE-2024-7264Jul 31, 2024risk 0.00cvss —epss 0.16
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer…
- CVE-2024-6874Jul 24, 2024risk 0.00cvss —epss 0.01
libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN…
- CVE-2024-6197Jul 24, 2024risk 0.00cvss —epss 0.04
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this…
Page 5 of 8