Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Releases / curl CVEs

curl CVEs

Related:
Bug Bounty
Changelog
curl CVEs
Vulnerability Disclosure
Vulnerabilities Table

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues.

Past security audits

Cure 53 performed a security audit in August 2016.

Trail of Bits performed a security audit of curl source code and internals, published on December 21, 2022. See Threat Model Report & Fix Review and Code Review & Testing Analysis.

Past vulnerabilities

All | Medium+ | High+ | Critical

# S W Vulnerability Date First Last
103
H
 CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1
90
H
 CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.44.0 7.65.1
86
H
 CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
81
H
 CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80
H
 CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79
H
 CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
75
H
 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
72
H
 CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
66
H
 CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
64
H
 CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63
H
 CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
60
H
 CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
56
H
 CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
52
H
 CVE-2016-8619: double free in krb5 code 2016-11-02 7.3 7.50.3
48
H
 lib CVE-2016-8623: Use after free via shared cookies 2016-11-02 7.10.7 7.50.3
46
H
 CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
44
H
 CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43
H
 CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
41
H
 lib CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40
H
 CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39
H
 CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38
H
 tool CVE-2016-0754: remote file name path traversal in curl tool for Windows 2016-01-27 4.0 7.46.0
36
H
 CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35
H
 CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34
H
 CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
28
H
 CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
26
H
 CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
17
H
 lib CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16
H
 CVE-2013-1944: cookie domain tailmatch 2013-04-12 4.7 7.29.0
15
C
 CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14
H
 CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13
H
 CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
11
H
 tool CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10
H
 lib CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9
H
 CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
6
H
 CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5
H
 CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4
H
 CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3
H
 CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2
H
 CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1
C
 CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.