curl CVEs
If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues.
Past security audits
Cure 53 performed a security audit in August 2016.
Trail of Bits performed a security audit of curl source code and internals, published on December 21, 2022. See Threat Model Report & Fix Review and Code Review & Testing Analysis.
Past vulnerabilities
All | Medium+ | High+ | Critical
| # | S | W | Vulnerability | Date | First | Last |
|---|---|---|---|---|---|---|
| 15 | C |
CVE-2013-0249: SASL buffer overflow | 2013-02-06 | 7.26.0 | 7.28.1 | |
| 1 | C |
CVE-2000-0973: FTP Server Response Buffer Overflow | 2000-10-13 | 6.0 | 7.4 |
Retracted security vulnerabilities
Issues no longer considered curl security problems:
- CVE-2019-15601 - SMB access smuggling via FILE URL on Windows
- CVE-2023-32001 - fopen race condition
Bogus security vulnerabilities
Issues filed by others that are plain lies:
curl vulnerability data
vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.
Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.