If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Past security audits
Cure 53 performed a security audit in August 2016.
Past vulnerabilitiesAll | Medium+ | High+ | Critical
|15||CVE-2013-0249: SASL buffer overflow||2013-02-06||7.26.0||7.28.1|
|1||CVE-2000-0973: FTP Server Response Buffer Overflow||2000-10-13||6.0||7.4|
Retracted security vulnerabilities
Issues no longer considered curl security problems:
Bogus security vulnerabilities
Issues filed by others that are plain lies:
curl vulnerability data
Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.