VYPR

Vendor CVEs

Curl

All CVEs

184 total · sorted by risk
  • CVE-2016-8624MedJul 31, 2018
    risk 0.35cvss 5.3epss 0.06

    curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser…

  • CVE-2017-9502MedJun 14, 2017
    risk 0.35cvss 5.3epss 0.03

    In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based…

  • CVE-2016-3739MedMay 20, 2016
    risk 0.35cvss 5.3epss 0.06

    The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof…

  • CVE-2016-0754MedJan 29, 2016
    risk 0.35cvss 5.3epss 0.01

    cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.

  • CVE-2023-46219MedDec 12, 2023
    risk 0.34cvss 5.3epss 0.01

    When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

  • CVE-2026-6253MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.01

    curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no…

  • CVE-2026-4873MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS…

  • CVE-2021-22947MedSep 29, 2021
    risk 0.31cvss 5.9epss 0.03

    When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached…

  • CVE-2016-8625MedAug 1, 2018
    risk 0.28cvss 5.3epss 0.04

    curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

  • CVE-2016-8619MedAug 1, 2018
    risk 0.28cvss 5.3epss 0.05

    The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.

  • CVE-2016-8618MedJul 31, 2018
    risk 0.28cvss 5.3epss 0.05

    The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.

  • CVE-2017-2629MedJul 27, 2018
    risk 0.28cvss 4.3epss 0.01

    curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none…

  • CVE-2026-7168MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`…

  • CVE-2026-7009MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

  • CVE-2026-6429MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.01

    When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

  • CVE-2021-22925MedAug 5, 2021
    risk 0.27cvss 5.3epss 0.05

    curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized…

  • CVE-2023-38546LowOct 18, 2023
    risk 0.24cvss 3.7epss 0.06

    This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. …

  • CVE-2020-8284LowDec 14, 2020
    risk 0.24cvss 3.7epss 0.04

    A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port…

  • CVE-2016-8622LowJul 31, 2018
    risk 0.24cvss 3.7epss 0.05

    The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus…

  • CVE-2016-8623LowAug 1, 2018
    risk 0.22cvss 3.3epss 0.03

    A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.

  • CVE-2025-10966MedNov 7, 2025
    risk 0.21cvss 4.3epss 0.00

    curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

  • CVE-2016-8617LowJul 31, 2018
    risk 0.21cvss 3.3epss 0.01

    The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.

  • CVE-2016-8616LowAug 1, 2018
    risk 0.17cvss 3.7epss 0.03

    A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has…

  • CVE-2021-22898LowJun 11, 2021
    risk 0.13cvss 3.1epss 0.04

    curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl…

  • CVE-2017-7407LowApr 3, 2017
    risk 0.09cvss 2.4epss 0.01

    The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%'…

  • CVE-2011-3389Sep 6, 2011
    risk 0.09cvss epss 0.73

    The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to…

  • CVE-2021-22901Jun 11, 2021
    risk 0.05cvss epss 0.60

    curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code…

  • CVE-2013-0249Mar 8, 2013
    risk 0.05cvss epss 0.23

    Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute…

  • CVE-2009-0037Mar 5, 2009
    risk 0.04cvss epss 0.08

    The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via…

  • CVE-2015-3145Apr 24, 2015
    risk 0.03cvss epss 0.38

    The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing…

  • CVE-2023-38039Sep 15, 2023
    risk 0.01cvss epss 0.62

    When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an…

  • CVE-2019-3822Feb 6, 2019
    risk 0.01cvss epss 0.13

    libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received…

  • CVE-2018-0500CriJul 11, 2018
    risk 0.01cvss 9.8epss 0.06

    Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument…

  • CVE-2015-3237Jun 22, 2015
    risk 0.01cvss epss 0.09

    The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.

  • CVE-2015-3236Jun 22, 2015
    risk 0.01cvss epss 0.08

    cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via…

  • CVE-2015-3153May 1, 2015
    risk 0.01cvss epss 0.08

    The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

  • CVE-2015-3148Apr 24, 2015
    risk 0.01cvss epss 0.18

    cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

  • CVE-2015-3144Apr 24, 2015
    risk 0.01cvss epss 0.11

    The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as…

  • CVE-2015-3143Apr 24, 2015
    risk 0.01cvss epss 0.16

    cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

  • CVE-2014-8150Jan 15, 2015
    risk 0.01cvss epss 0.07

    CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

  • CVE-2014-3613Nov 18, 2014
    risk 0.01cvss epss 0.07

    cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

  • CVE-2026-3805Mar 11, 2026
    risk 0.00cvss epss 0.01

    When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

  • CVE-2026-3783Mar 11, 2026
    risk 0.00cvss epss 0.00

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used…

  • CVE-2026-1965Mar 11, 2026
    risk 0.00cvss epss 0.00

    libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a…

  • CVE-2025-11563Feb 25, 2026
    risk 0.00cvss epss 0.00

    URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

  • CVE-2025-15224Jan 8, 2026
    risk 0.00cvss epss 0.00

    When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

  • CVE-2025-15079Jan 8, 2026
    risk 0.00cvss epss 0.00

    When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

  • CVE-2025-14819Jan 8, 2026
    risk 0.00cvss epss 0.01

    When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.…

  • CVE-2025-14524Jan 8, 2026
    risk 0.00cvss epss 0.01

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

  • CVE-2025-14017Jan 8, 2026
    risk 0.00cvss epss 0.00

    When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer…