curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published vulnerabilities

All | Medium+ | High+ | Critical

(The table below has been filtered to show High+ severity)

# S W C Vulnerability Published First Last Awarded
147
H
C
CVE-2023-38545: SOCKS5 heap buffer overflow 2023-10-11 7.69.0 8.3.0 4660 USD
103
H
C
CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1 2000 USD
90
H
CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.44.0 7.65.1 200 USD
86
H
C
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
81
H
C
CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80
H
C
CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79
H
C
CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
75
H
C
CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
72
H
C
CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
66
H
C
CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
64
H
C
CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63
H
CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
60
H
CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
56
H
CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
52
H
C
CVE-2016-8619: double free in krb5 code 2016-11-02 7.3 7.50.3
48
H
lib
C
CVE-2016-8623: Use after free via shared cookies 2016-11-02 7.10.7 7.50.3
46
H
CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
44
H
CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43
H
CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
41
H
lib
C
CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40
H
CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39
H
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38
H
tool CVE-2016-0754: remote filename path traversal in curl tool for Windows 2016-01-27 4.0 7.46.0
36
H
C
CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35
H
CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34
H
CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
28
H
CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
26
H
CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
17
H
lib
C
CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16
H
CVE-2013-1944: cookie domain tailmatch 2013-04-12 4.7 7.29.0
15
C
C
CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14
H
CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13
H
CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
11
H
tool CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10
H
lib CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9
H
C
CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
6
H
C
CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5
H
C
CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4
H
C
CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3
H
C
CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2
H
CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1
C
C
CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

C mistakes

The flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE and UNINIT.

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.

The JSON output follows the Open Source Vulnerability format