curl / Docs / Releases / Security Problems

curl security problems

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published security vulnerabilities

# Vulnerability Date First Last
125 CVE-2022-32208: FTP-KRB bad message verification 2022-06-27 7.16.4 7.83.1
124 CVE-2022-32207: Unpreserved file permissions 2022-06-27 7.69.0 7.83.1
123 CVE-2022-32206: HTTP compression denial of service 2022-06-27 7.57.0 7.83.1
122 CVE-2022-32205: Set-Cookie denial of service 2022-06-27 7.71.0 7.83.1
121 CVE-2022-30115: HSTS bypass via trailing dot 2022-05-11 7.82.0 7.83.0
120 CVE-2022-27782: TLS and SSH connection too eager reuse 2022-05-11 7.16.1 7.83.0
119 CVE-2022-27781: CERTINFO never-ending busy-loop 2022-05-11 7.34.0 7.83.0
118 CVE-2022-27780: percent-encoded path separator in URL host 2022-05-11 7.80.0 7.83.0
117 CVE-2022-27779: cookie for trailing dot TLD 2022-05-11 7.82.0 7.83.0
116 CVE-2022-27778: curl removes wrong file on error 2022-05-11 7.83.0 7.83.0
115 CVE-2022-27776: Auth/cookie leak on redirect 2022-04-27 4.9 7.82.0
114 CVE-2022-27775: Bad local IPv6 connection reuse 2022-04-27 7.65.0 7.82.0
113 CVE-2022-27774: Credential leak on redirect 2022-04-27 4.9 7.82.0
112 CVE-2022-22576: OAUTH2 bearer bypass in connection re-use 2022-04-27 7.33.0 7.82.0
111 CVE-2021-22947: STARTTLS protocol injection via MITM 2021-09-15 7.20.0 7.78.0
110 CVE-2021-22946: Protocol downgrade required TLS bypassed 2021-09-15 7.20.0 7.78.0
109 CVE-2021-22945: UAF and double-free in MQTT sending 2021-09-15 7.73.0 7.78.0
108 CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport 2021-07-21 7.33.0 7.77.0
107 CVE-2021-22925: TELNET stack contents disclosure again 2021-07-21 7.7 7.77.0
106 CVE-2021-22924: Bad connection reuse due to flawed path name checks 2021-07-21 7.10.4 7.77.0
105 CVE-2021-22923: Metalink download sends credentials 2021-07-21 7.27.0 7.77.0
104 CVE-2021-22922: Wrong content via metalink not discarded 2021-07-21 7.27.0 7.77.0
103 CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1
102 CVE-2021-22898: TELNET stack contents disclosure 2021-05-26 7.7 7.76.1
101 CVE-2021-22897: schannel cipher selection surprise 2021-05-26 7.61.0 7.76.1
100 CVE-2021-22890: TLS 1.3 session ticket proxy host mixup 2021-03-31 7.63.0 7.75.0
99 CVE-2021-22876: Automatic referer leaks credentials 2021-03-31 7.1.1 7.75.0
98 CVE-2020-8286: Inferior OCSP verification 2020-12-09 7.41.0 7.73.0
97 CVE-2020-8285: FTP wildcard stack overflow 2020-12-09 7.21.0 7.73.0
96 CVE-2020-8284: trusting FTP PASV responses 2020-12-09 4.0 7.73.0
95 CVE-2020-8231: wrong connect-only connection 2020-08-19 7.29.0 7.71.1
94 CVE-2020-8177: curl overwrite local file with -J 2020-06-24 7.20.0 7.70.0
93 CVE-2020-8169: Partial password leak over DNS on HTTP redirect 2020-06-24 7.62.0 7.70.0
92 CVE-2019-5481: FTP-KRB double-free 2019-09-11 7.52.0 7.65.3
91 CVE-2019-5482: TFTP small blocksize heap buffer overflow 2019-09-11 7.19.4 7.65.3
90 CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.61.0 7.65.1
89 CVE-2019-5436: TFTP receive buffer overflow 2019-05-22 7.19.4 7.64.1
88 CVE-2019-5435: Integer overflows in curl_url_set 2019-05-22 7.62.0 7.64.1
87 CVE-2018-16890: NTLM type-2 out-of-bounds buffer read 2019-02-06 7.36.0 7.63.0
86 CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
85 CVE-2019-3823: SMTP end-of-response out-of-bounds read 2019-02-06 7.34.0 7.63.0
84 CVE-2018-16842: warning message out-of-buffer read 2018-10-31 7.14.1 7.61.1
83 CVE-2018-16840: use-after-free in handle close 2018-10-31 7.59.0 7.61.1
82 CVE-2018-16839: SASL password overflow via integer overflow 2018-10-31 7.33.0 7.61.1
81 CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80 CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79 CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
78 CVE-2018-1000301: RTSP bad headers buffer over-read 2018-05-16 7.20.0 7.59.0
77 CVE-2018-1000122: RTSP RTP buffer over-read 2018-03-14 7.20.0 7.58.0
76 CVE-2018-1000121: LDAP NULL pointer dereference 2018-03-14 7.21.0 7.58.0
75 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
74 CVE-2018-1000007: HTTP authentication leak in redirects 2018-01-24 6.0 7.57.0
73 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read 2018-01-24 7.49.0 7.57.0
72 CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
71 CVE-2017-8817: FTP wildcard out of bounds read 2017-11-29 7.21.0 7.56.1
70 CVE-2017-8816: NTLM buffer overflow via integer overflow 2017-11-29 7.36.0 7.56.1
69 CVE-2017-1000257: IMAP FETCH response out of bounds read 2017-10-12 7.20.0 7.56.0
68 CVE-2017-1000254: FTP PWD response parser out of bounds read 2017-10-04 7.7 7.55.1
67 CVE-2017-1000101: URL globbing out of bounds read 2017-08-09 7.34.0 7.54.1
66 CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
65 CVE-2017-1000099: FILE buffer read out of bounds 2017-08-09 7.54.1 7.54.1
64 CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63 CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
62 CVE-2017-7407: --write-out out of buffer read 2017-04-03 6.5 7.53.1
61 CVE-2017-2629: SSL_VERIFYSTATUS ignored 2017-02-22 7.52.0 7.52.1
60 CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
59 CVE-2016-9586: printf floating point buffer overflow 2016-12-21 5.4 7.51.0
58 CVE-2016-9952: Win CE schannel cert wildcard matches too much 2016-12-21 7.30.0 7.51.0
57 CVE-2016-9953: Win CE schannel cert name out of buffer read 2016-12-21 7.30.0 7.51.0
56 CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
55 CVE-2016-8616: case insensitive password comparison 2016-11-02 7.7 7.50.3
54 CVE-2016-8617: OOB write via unchecked multiplication 2016-11-02 7.3 7.50.3
53 CVE-2016-8618: double-free in curl_maprintf 2016-11-02 5.4 7.50.3
52 CVE-2016-8619: double-free in krb5 code 2016-11-02 7.3 7.50.3
51 CVE-2016-8620: glob parser write/read out of bounds 2016-11-02 7.34.0 7.50.3
50 CVE-2016-8621: curl_getdate read out of bounds 2016-11-02 7.12.2 7.50.3
49 CVE-2016-8622: URL unescape heap overflow via integer truncation 2016-11-02 7.24.0 7.50.3
48 CVE-2016-8623: Use-after-free via shared cookies 2016-11-02 7.10.7 7.50.3
47 CVE-2016-8624: invalid URL parsing with '#' 2016-11-02 6.0 7.50.3
46 CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
45 CVE-2016-7167: curl escape and unescape integer overflows 2016-09-14 7.11.1 7.50.2
44 CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43 CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
42 CVE-2016-5420: Re-using connections with wrong client cert 2016-08-03 7.7 7.50.0
41 CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40 CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39 CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38 CVE-2016-0754: remote file name path traversal in curl tool for Windows 2016-01-27 7.20.0 7.46.0
37 CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use 2016-01-27 7.10.7 7.46.0
36 CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35 CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34 CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
33 CVE-2015-3144: host name out of boundary memory access 2015-04-22 7.37.0 7.41.0
32 CVE-2015-3145: cookie parser out of boundary memory access 2015-04-22 7.31.0 7.41.0
31 CVE-2015-3148: Negotiate not treated as connection-oriented 2015-04-22 7.10.6 7.41.0
30 CVE-2015-3143: Re-using authenticated connection when unauthenticated 2015-04-22 7.10.6 7.41.0
29 CVE-2014-8151: darwinssl certificate check bypass 2015-01-08 7.31.0 7.39.0
28 CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
27 CVE-2014-3707: duphandle read out of bounds 2014-11-05 7.17.1 7.38.0
26 CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
25 CVE-2014-3613: cookie leak with IP address as domain 2014-09-10 4.0 7.37.1
24 CVE-2014-2522: not verifying certs for TLS to IP address / Winssl 2014-03-26 7.26.0 7.35.0
23 CVE-2014-1263: not verifying certs for TLS to IP address / Darwinssl 2014-03-26 7.26.0 7.35.0
22 CVE-2014-0139: IP address wildcard certificate validation 2014-03-26 7.10.3 7.35.0
21 CVE-2014-0138: wrong re-use of connections 2014-03-26 7.10.7 7.35.0
20 CVE-2014-0015: re-use of wrong HTTP NTLM connection 2014-01-29 7.10.6 7.34.0
19 CVE-2013-6422: cert name check ignore GnuTLS 2013-12-17 7.21.4 7.33.0
18 CVE-2013-4545: cert name check ignore OpenSSL 2013-11-15 7.18.0 7.32.0
17 CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16 CVE-2013-1944: cookie domain tailmatch 2013-04-12 6.0 7.29.0
15 CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14 CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13 CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
12 CVE-2011-2192: inappropriate GSSAPI delegation 2011-06-23 7.10.6 7.21.6
11 CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10 CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9 CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
8 CVE-2009-0037: Arbitrary File Access 2009-03-03 6.0 7.19.3
7 CVE-2007-3564: GnuTLS insufficient cert verification 2007-07-10 7.14.0 7.16.3
6 CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5 CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4 CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3 CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2 CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1 CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

Retracted security vulnerabilities

Issues no longer considered curl security problems:

curl vulnerabilities data as a CSV

vuln.csv has all the info as the table above in a more machine friendly format.