curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues.

Past security audits

Cure 53 performed a security audit in August 2016.

Trail of Bits performed a security audit of curl source code and internals, published on December 21, 2022. See Threat Model Report & Fix Review and Code Review & Testing Analysis.

Past vulnerabilities

All | Medium+ | High+ | Critical

# S W Vulnerability Date First Last
CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "$CVE.json" - replace $CVE with the actual curl CVE Id.