curl CVEs
If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Published vulnerabilities
All | Medium+ | High+ | Critical(The table below has been filtered to show Critical severity)
# | S | W | C | Vulnerability | Published | First | Last | Awarded |
---|---|---|---|---|---|---|---|---|
15 | C |
C |
CVE-2013-0249: SASL buffer overflow | 2013-02-06 | 7.26.0 | 7.28.1 | ||
1 | C |
C |
CVE-2000-0973: FTP Server Response Buffer Overflow | 2000-10-13 | 6.0 | 7.4 |
C mistakes
Flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE, UNINIT and BAD_FREE.
Retracted security vulnerabilities
Issues no longer considered curl security problems:
- CVE-2019-15601 - SMB access smuggling via FILE URL on Windows
- CVE-2023-32001 - fopen race condition
Bogus security vulnerabilities
Issues filed by others that are plain lies:
curl vulnerability data
vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.
Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.
The JSON output follows the Open Source Vulnerability format