curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published vulnerabilities

All | Medium+ | High+ | Critical

(The table below has been filtered to show Critical severity)

# S W C Vulnerability Published First Last Awarded
CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

C mistakes

The flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE and UNINIT.

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "$CVE.json" - replace $CVE with the actual curl CVE Id.

The JSON output follows the Open Source Vulnerability format