curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues.

Past security audits

Cure 53 performed a security audit in August 2016.

Trail of Bits performed a security audit of curl source code and internals, published on December 21, 2022. See Threat Model Report & Fix Review and Code Review & Testing Analysis.

Past vulnerabilities

All | Medium+ | High+ | Critical

# S W Vulnerability Date First Last
146
M
CVE-2023-38039: HTTP headers eat all memory 2023-09-13 7.84.0 8.2.1
142
M
CVE-2023-28319: UAF in SSH sha256 fingerprint check 2023-05-17 7.81.0 8.0.1
138
M
CVE-2023-27535: FTP too eager connection reuse 2023-03-20 7.13.0 7.88.1
135
M
CVE-2023-23916: HTTP multi-header compression denial of service 2023-02-15 7.57.0 7.87.0
131
M
CVE-2022-43551: Another HSTS bypass via IDN 2022-12-21 7.77.0 7.86.0
130
M
CVE-2022-42916: HSTS bypass via IDN 2022-10-26 7.77.0 7.85.0
129
M
CVE-2022-42915: HTTP proxy double free 2022-10-26 7.77.0 7.85.0
127
M
lib CVE-2022-32221: POST following PUT confusion 2022-10-26 7.7 7.85.0
124
M
CVE-2022-32207: Non-preserved file permissions 2022-06-27 7.69.0 7.83.1
123
M
CVE-2022-32206: HTTP compression denial of service 2022-06-27 7.57.0 7.83.1
121
M
CVE-2022-30115: HSTS bypass via trailing dot 2022-05-11 7.82.0 7.83.0
120
M
CVE-2022-27782: TLS and SSH connection too eager reuse 2022-05-11 7.16.1 7.83.0
118
M
CVE-2022-27780: percent-encoded path separator in URL host 2022-05-11 7.80.0 7.83.0
117
M
CVE-2022-27779: cookie for trailing dot TLD 2022-05-11 7.82.0 7.83.0
116
M
tool CVE-2022-27778: curl removes wrong file on error 2022-05-11 7.83.0 7.83.0
113
M
CVE-2022-27774: Credential leak on redirect 2022-04-27 4.9 7.82.0
112
M
CVE-2022-22576: OAUTH2 bearer bypass in connection re-use 2022-04-27 7.33.0 7.82.0
111
M
CVE-2021-22947: STARTTLS protocol injection via MITM 2021-09-15 7.20.0 7.78.0
110
M
CVE-2021-22946: Protocol downgrade required TLS bypassed 2021-09-15 7.20.0 7.78.0
109
M
CVE-2021-22945: UAF and double free in MQTT sending 2021-09-15 7.73.0 7.78.0
108
M
CVE-2021-22926: CURLOPT_SSLCERT mix-up with Secure Transport 2021-07-21 7.33.0 7.77.0
107
M
CVE-2021-22925: TELNET stack contents disclosure again 2021-07-21 7.7 7.77.0
106
M
CVE-2021-22924: Bad connection reuse due to flawed path name checks 2021-07-21 7.10.4 7.77.0
105
M
tool CVE-2021-22923: Metalink download sends credentials 2021-07-21 7.27.0 7.77.0
104
M
tool CVE-2021-22922: Wrong content via Metalink not discarded 2021-07-21 7.27.0 7.77.0
103
H
CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1
102
M
CVE-2021-22898: TELNET stack contents disclosure 2021-05-26 7.7 7.76.1
98
M
CVE-2020-8286: Inferior OCSP verification 2020-12-09 7.41.0 7.73.0
97
M
lib CVE-2020-8285: FTP wildcard stack overflow 2020-12-09 7.21.0 7.73.0
94
M
tool CVE-2020-8177: curl overwrite local file with -J 2020-06-24 7.20.0 7.70.0
93
M
CVE-2020-8169: Partial password leak over DNS on HTTP redirect 2020-06-24 7.62.0 7.70.0
92
M
CVE-2019-5481: FTP-KRB double free 2019-09-11 7.52.0 7.65.3
91
M
lib CVE-2019-5482: TFTP small blocksize heap buffer overflow 2019-09-11 7.19.4 7.65.3
90
H
CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.44.0 7.65.1
87
M
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read 2019-02-06 7.36.0 7.63.0
86
H
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
81
H
CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80
H
CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79
H
CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
78
M
CVE-2018-1000301: RTSP bad headers buffer over-read 2018-05-16 7.20.0 7.59.0
77
M
CVE-2018-1000122: RTSP RTP buffer over-read 2018-03-14 7.20.0 7.58.0
75
H
CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
72
H
CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
71
M
lib CVE-2017-8817: FTP wildcard out of bounds read 2017-11-29 7.21.0 7.56.1
70
M
CVE-2017-8816: NTLM buffer overflow via integer overflow 2017-11-29 7.36.0 7.56.1
69
M
CVE-2017-1000257: IMAP FETCH response out of bounds read 2017-10-12 7.20.0 7.56.0
68
M
CVE-2017-1000254: FTP PWD response parser out of bounds read 2017-10-04 7.7 7.55.1
67
M
tool CVE-2017-1000101: URL globbing out of bounds read 2017-08-09 7.34.0 7.54.1
66
H
CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
65
M
CVE-2017-1000099: FILE buffer read out of bounds 2017-08-09 7.54.1 7.54.1
64
H
CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63
H
CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
62
M
tool CVE-2017-7407: --write-out out of buffer read 2017-04-03 6.5 7.53.1
61
M
CVE-2017-2629: SSL_VERIFYSTATUS ignored 2017-02-22 7.52.0 7.52.1
60
H
CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
59
M
lib CVE-2016-9586: printf floating point buffer overflow 2016-12-21 5.4 7.51.0
58
M
CVE-2016-9952: Win CE Schannel cert wildcard matches too much 2016-12-21 7.27.0 7.51.0
57
M
CVE-2016-9953: Win CE Schannel cert name out of buffer read 2016-12-21 7.27.0 7.51.0
56
H
CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
55
M
CVE-2016-8616: case insensitive password comparison 2016-11-02 7.7 7.50.3
54
M
CVE-2016-8617: OOB write via unchecked multiplication 2016-11-02 7.8.1 7.50.3
53
M
lib CVE-2016-8618: double free in curl_maprintf 2016-11-02 5.4 7.50.3
52
H
CVE-2016-8619: double free in krb5 code 2016-11-02 7.3 7.50.3
51
M
tool CVE-2016-8620: glob parser write/read out of bounds 2016-11-02 7.34.0 7.50.3
50
M
CVE-2016-8621: curl_getdate read out of bounds 2016-11-02 7.12.2 7.50.3
49
M
CVE-2016-8622: URL unescape heap overflow via integer truncation 2016-11-02 7.24.0 7.50.3
48
H
lib CVE-2016-8623: Use after free via shared cookies 2016-11-02 7.10.7 7.50.3
47
M
CVE-2016-8624: invalid URL parsing with '#' 2016-11-02 6.0 7.50.3
46
H
CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
45
M
lib CVE-2016-7167: curl escape and unescape integer overflows 2016-09-14 7.11.1 7.50.2
44
H
CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43
H
CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
42
M
CVE-2016-5420: Re-using connections with wrong client cert 2016-08-03 7.7 7.50.0
41
H
lib CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40
H
CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39
H
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38
H
tool CVE-2016-0754: remote file name path traversal in curl tool for Windows 2016-01-27 4.0 7.46.0
37
M
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use 2016-01-27 7.10.7 7.46.0
36
H
CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35
H
CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34
H
CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
33
M
CVE-2015-3144: host name out of boundary memory access 2015-04-22 7.37.0 7.41.0
32
M
CVE-2015-3145: cookie parser out of boundary memory access 2015-04-22 7.31.0 7.41.0
31
M
CVE-2015-3148: Negotiate not treated as connection-oriented 2015-04-22 7.10.6 7.41.0
30
M
CVE-2015-3143: Re-using authenticated connection when unauthenticated 2015-04-22 7.10.6 7.41.0
29
M
CVE-2014-8151: Secure Transport certificate check bypass 2015-01-08 7.31.0 7.39.0
28
H
CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
27
M
lib CVE-2014-3707: duphandle read out of bounds 2014-11-05 7.17.1 7.38.0
26
H
CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
25
M
CVE-2014-3613: cookie leak with IP address as domain 2014-09-10 4.0 7.37.1
24
M
CVE-2014-2522: not verifying certs for TLS to IP address / Schannel 2014-03-26 7.27.0 7.35.0
23
M
CVE-2014-1263: not verifying certs for TLS to IP address / Secure Transport 2014-03-26 7.27.0 7.35.0
22
M
CVE-2014-0139: IP address wildcard certificate validation 2014-03-26 7.10.3 7.35.0
21
M
CVE-2014-0138: wrong re-use of connections 2014-03-26 7.10.6 7.35.0
20
M
CVE-2014-0015: re-use of wrong HTTP NTLM connection 2014-01-29 7.10.6 7.34.0
19
M
lib CVE-2013-6422: cert name check ignore with GnuTLS 2013-12-17 7.21.4 7.33.0
18
M
lib CVE-2013-4545: cert name check ignore OpenSSL 2013-11-15 7.18.0 7.32.0
17
H
lib CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16
H
CVE-2013-1944: cookie domain tailmatch 2013-04-12 4.7 7.29.0
15
C
CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14
H
CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13
H
CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
12
M
CVE-2011-2192: inappropriate GSSAPI delegation 2011-06-23 7.10.6 7.21.6
11
H
tool CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10
H
lib CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9
H
CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
8
M
CVE-2009-0037: Arbitrary File Access 2009-03-03 5.11 7.19.3
6
H
CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5
H
CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4
H
CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3
H
CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2
H
CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1
C
CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.