curl CVEs
If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Published vulnerabilities
All | Medium+ | High+ | Critical(The table below has been filtered to show High+ severity)
C mistakes
Flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE, UNINIT and BAD_FREE.
Retracted security vulnerabilities
Issues no longer considered curl security problems:
- CVE-2019-15601 - SMB access smuggling via FILE URL on Windows
- CVE-2023-32001 - fopen race condition
Bogus security vulnerabilities
Issues filed by others that are plain lies:
curl vulnerability data
vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.
Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.
The JSON output follows the Open Source Vulnerability format