We take security seriously and develop curl and libcurl to be secure and
safe.
If you find or simply suspect a security problem in curl or libcurl, please
file a detailed report on our hackerone
page and tell.
We appreciate getting notified in advance before you go public with security
advisories for the sake of our users. We disclose security vulnerabilities in
association with our fixes for them.
| # |
Vulnerability |
Date |
First |
Last |
CVE |
CWE |
| 111 |
STARTTLS protocol injection via MITM |
September 15, 2021 |
7.20.0 |
7.78.0 |
CVE-2021-22947 |
CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data |
| 110 |
Protocol downgrade required TLS bypassed |
September 15, 2021 |
7.20.0 |
7.78.0 |
CVE-2021-22946 |
CWE-325: Missing Cryptographic Step |
| 109 |
UAF and double-free in MQTT sending |
September 15, 2021 |
7.73.0 |
7.78.0 |
CVE-2021-22945 |
CWE-415: Double Free |
| 108 |
CURLOPT_SSLCERT mixup with Secure Transport |
July 21, 2021 |
7.33.0 |
7.77.0 |
CVE-2021-22926 |
CWE-295: Improper Certificate Validation |
| 107 |
TELNET stack contents disclosure again |
July 21, 2021 |
7.7 |
7.77.0 |
CVE-2021-22925 |
CWE-457: Use of Uninitialized Variable |
| 106 |
Bad connection reuse due to flawed path name checks |
July 21, 2021 |
7.10.4 |
7.77.0 |
CVE-2021-22924 |
CWE-295: Improper Certificate Validation |
| 105 |
Metalink download sends credentials |
July 21, 2021 |
7.27.0 |
7.77.0 |
CVE-2021-22923 |
CWE-522: Insufficiently Protected Credentials |
| 104 |
Wrong content via metalink not discarded |
July 21, 2021 |
7.27.0 |
7.77.0 |
CVE-2021-22922 |
CWE-20: Improper Input Validation |
| 103 |
TLS session caching disaster |
May 26, 2021 |
7.75.0 |
7.76.1 |
CVE-2021-22901 |
CWE-416: Use After Free |
| 102 |
TELNET stack contents disclosure |
May 26, 2021 |
7.7 |
7.76.1 |
CVE-2021-22898 |
CWE-457: Use of Uninitialized Variable |
| 101 |
schannel cipher selection surprise |
May 26, 2021 |
7.61.0 |
7.76.1 |
CVE-2021-22897 |
CWE-488: Exposure of Data Element to Wrong Session |
| 100 |
TLS 1.3 session ticket proxy host mixup |
March 31, 2021 |
7.63.0 |
7.75.0 |
CVE-2021-22890 |
CWE-290: Authentication Bypass by Spoofing |
| 99 |
Automatic referer leaks credentials |
March 31, 2021 |
7.1.1 |
7.75.0 |
CVE-2021-22876 |
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor |
| 98 |
Inferior OCSP verification |
December 09, 2020 |
7.41.0 |
7.73.0 |
CVE-2020-8286 |
CWE-299: Improper Check for Certificate Revocation |
| 97 |
FTP wildcard stack overflow |
December 09, 2020 |
7.21.0 |
7.73.0 |
CVE-2020-8285 |
CWE-674: Uncontrolled Recursion |
| 96 |
trusting FTP PASV responses |
December 09, 2020 |
4.0 |
7.73.0 |
CVE-2020-8284 |
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| 95 |
wrong connect-only connection |
August 19, 2020 |
7.29.0 |
7.71.1 |
CVE-2020-8231 |
CWE-825: Expired Pointer Dereference |
| 94 |
curl overwrite local file with -J |
June 24, 2020 |
7.20.0 |
7.70.0 |
CVE-2020-8177 |
CWE-641: Improper Restriction of Names for Files and Other Resources |
| 93 |
Partial password leak over DNS on HTTP redirect |
June 24, 2020 |
7.62.0 |
7.70.0 |
CVE-2020-8169 |
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| 92 |
FTP-KRB double-free |
September 11, 2019 |
7.52.0 |
7.65.3 |
CVE-2019-5481 |
CWE-415: Double Free |
| 91 |
TFTP small blocksize heap buffer overflow |
September 11, 2019 |
7.19.4 |
7.65.3 |
CVE-2019-5482 |
CWE-122: Heap-based Buffer Overflow |
| 90 |
Windows OpenSSL engine code injection |
June 24, 2019 |
7.61.0 |
7.65.1 |
CVE-2019-5443 |
CWE-94: Code Injection |
| 89 |
TFTP receive buffer overflow |
May 22, 2019 |
7.19.4 |
7.64.1 |
CVE-2019-5436 |
CWE-122: Heap-based Buffer Overflow |
| 88 |
Integer overflows in curl_url_set |
May 22, 2019 |
7.62.0 |
7.64.1 |
CVE-2019-5435 |
CWE-131: Incorrect Calculation of Buffer Size |
| 87 |
NTLM type-2 out-of-bounds buffer read |
February 06, 2019 |
7.36.0 |
7.63.0 |
CVE-2018-16890 |
CWE-125: Out-of-bounds Read |
| 86 |
NTLMv2 type-3 header stack buffer overflow |
February 06, 2019 |
7.36.0 |
7.63.0 |
CVE-2019-3822 |
CWE-121: Stack-based Buffer Overflow |
| 85 |
SMTP end-of-response out-of-bounds read |
February 06, 2019 |
7.34.0 |
7.63.0 |
CVE-2019-3823 |
CWE-125: Out-of-bounds Read |
| 84 |
warning message out-of-buffer read |
October 31, 2018 |
7.14.1 |
7.61.1 |
CVE-2018-16842 |
CWE-125: Out-of-bounds Read |
| 83 |
use-after-free in handle close |
October 31, 2018 |
7.59.0 |
7.61.1 |
CVE-2018-16840 |
CWE-416: Use After Free |
| 82 |
SASL password overflow via integer overflow |
October 31, 2018 |
7.33.0 |
7.61.1 |
CVE-2018-16839 |
CWE-131: Incorrect Calculation of Buffer Size |
| 81 |
NTLM password overflow via integer overflow |
September 05, 2018 |
7.15.4 |
7.61.0 |
CVE-2018-14618 |
CWE-131: Incorrect Calculation of Buffer Size |
| 80 |
SMTP send heap buffer overflow |
July 11, 2018 |
7.54.1 |
7.60.0 |
CVE-2018-0500 |
CWE-122: Heap-based Buffer Overflow |
| 79 |
FTP shutdown response buffer overflow |
May 16, 2018 |
7.54.1 |
7.59.0 |
CVE-2018-1000300 |
CWE-122: Heap-based Buffer Overflow |
| 78 |
RTSP bad headers buffer over-read |
May 16, 2018 |
7.20.0 |
7.59.0 |
CVE-2018-1000301 |
CWE-126: Buffer Over-read |
| 77 |
RTSP RTP buffer over-read |
March 14, 2018 |
7.20.0 |
7.58.0 |
CVE-2018-1000122 |
CWE-126: Buffer Over-read |
| 76 |
LDAP NULL pointer dereference |
March 14, 2018 |
7.21.0 |
7.58.0 |
CVE-2018-1000121 |
CWE-476: NULL Pointer Dereference |
| 75 |
FTP path trickery leads to NIL byte out of bounds write |
March 14, 2018 |
7.12.3 |
7.58.0 |
CVE-2018-1000120 |
CWE-122: Heap-based Buffer Overflow |
| 74 |
HTTP authentication leak in redirects |
January 24, 2018 |
6.0 |
7.57.0 |
CVE-2018-1000007 |
CWE-522: Insufficiently Protected Credentials |
| 73 |
HTTP/2 trailer out-of-bounds read |
January 24, 2018 |
7.49.0 |
7.57.0 |
CVE-2018-1000005 |
CWE-126: Buffer Over-read |
| 72 |
SSL out of buffer access |
November 29, 2017 |
7.56.0 |
7.56.1 |
CVE-2017-8818 |
CWE-125: Out-of-bounds Read |
| 71 |
FTP wildcard out of bounds read |
November 29, 2017 |
7.21.0 |
7.56.1 |
CVE-2017-8817 |
CWE-126: Buffer Over-read |
| 70 |
NTLM buffer overflow via integer overflow |
November 29, 2017 |
7.36.0 |
7.56.1 |
CVE-2017-8816 |
CWE-131: Incorrect Calculation of Buffer Size |
| 69 |
IMAP FETCH response out of bounds read |
October 12, 2017 |
7.20.0 |
7.56.0 |
CVE-2017-1000257 |
CWE-126: Buffer Over-read |
| 68 |
FTP PWD response parser out of bounds read |
October 04, 2017 |
7.7 |
7.55.1 |
CVE-2017-1000254 |
CWE-126: Buffer Over-read |
| 67 |
URL globbing out of bounds read |
August 09, 2017 |
7.34.0 |
7.54.1 |
CVE-2017-1000101 |
CWE-126: Buffer Over-read |
| 66 |
TFTP sends more than buffer size |
August 09, 2017 |
7.15.0 |
7.54.1 |
CVE-2017-1000100 |
CWE-126: Buffer Over-read |
| 65 |
FILE buffer read out of bounds |
August 09, 2017 |
7.54.1 |
7.54.1 |
CVE-2017-1000099 |
CWE-170: Improper Null Termination |
| 64 |
URL file scheme drive letter buffer overflow |
June 14, 2017 |
7.53.0 |
7.54.0 |
CVE-2017-9502 |
CWE-122: Heap-based Buffer Overflow |
| 63 |
TLS session resumption client cert bypass (again) |
April 19, 2017 |
7.52.0 |
7.53.1 |
CVE-2017-7468 |
CWE-305: Authentication Bypass by Primary Weakness |
| 62 |
--write-out out of buffer read |
April 03, 2017 |
6.5 |
7.53.1 |
CVE-2017-7407 |
CWE-126: Buffer Over-read |
| 61 |
SSL_VERIFYSTATUS ignored |
February 22, 2017 |
7.52.0 |
7.52.1 |
CVE-2017-2629 |
CWE-304: Missing Critical Step in Authentication |
| 60 |
uninitialized random |
December 23, 2016 |
7.52.0 |
7.52.0 |
CVE-2016-9594 |
CWE-330: Use of Insufficiently Random Values |
| 59 |
printf floating point buffer overflow |
December 21, 2016 |
7.1 |
7.51.0 |
CVE-2016-9586 |
CWE-121: Stack-based Buffer Overflow |
| 58 |
Win CE schannel cert wildcard matches too much |
December 21, 2016 |
7.30.0 |
7.51.0 |
CVE-2016-9952 |
CWE-295: Improper Certificate Validation |
| 57 |
Win CE schannel cert name out of buffer read |
December 21, 2016 |
7.30.0 |
7.51.0 |
CVE-2016-9953 |
CWE-126: Buffer Over-read |
| 56 |
cookie injection for other servers |
November 02, 2016 |
7.1 |
7.50.3 |
CVE-2016-8615 |
CWE-187: Partial Comparison |
| 55 |
case insensitive password comparison |
November 02, 2016 |
7.7 |
7.50.3 |
CVE-2016-8616 |
CWE-178: Improper Handling of Case Sensitivity |
| 54 |
OOB write via unchecked multiplication |
November 02, 2016 |
7.1 |
7.50.3 |
CVE-2016-8617 |
CWE-131: Incorrect Calculation of Buffer Size |
| 53 |
double-free in curl_maprintf |
November 02, 2016 |
7.1 |
7.50.3 |
CVE-2016-8618 |
CWE-415: Double Free |
| 52 |
double-free in krb5 code |
November 02, 2016 |
7.3 |
7.50.3 |
CVE-2016-8619 |
CWE-415: Double Free |
| 51 |
glob parser write/read out of bounds |
November 02, 2016 |
7.34.0 |
7.50.3 |
CVE-2016-8620 |
CWE-122: Heap-based Buffer Overflow |
| 50 |
curl_getdate read out of bounds |
November 02, 2016 |
7.12.2 |
7.50.3 |
CVE-2016-8621 |
CWE-126: Buffer Over-read |
| 49 |
URL unescape heap overflow via integer truncation |
November 02, 2016 |
7.24.0 |
7.50.3 |
CVE-2016-8622 |
CWE-122: Heap-based Buffer Overflow |
| 48 |
Use-after-free via shared cookies |
November 02, 2016 |
7.10.7 |
7.50.3 |
CVE-2016-8623 |
CWE-416: Use After Free |
| 47 |
invalid URL parsing with '#' |
November 02, 2016 |
7.1 |
7.50.3 |
CVE-2016-8624 |
CWE-172: Encoding Error |
| 46 |
IDNA 2003 makes curl use wrong host |
November 02, 2016 |
7.12.0 |
7.50.3 |
CVE-2016-8625 |
CWE-838: Inappropriate Encoding for Output Context |
| 45 |
curl escape and unescape integer overflows |
September 14, 2016 |
7.11.1 |
7.50.2 |
CVE-2016-7167 |
CWE-131: Incorrect Calculation of Buffer Size |
| 44 |
Incorrect reuse of client certificates |
September 07, 2016 |
7.19.6 |
7.50.1 |
CVE-2016-7141 |
CWE-305: Authentication Bypass by Primary Weakness |
| 43 |
TLS session resumption client cert bypass |
August 03, 2016 |
7.1 |
7.50.0 |
CVE-2016-5419 |
CWE-305: Authentication Bypass by Primary Weakness |
| 42 |
Re-using connections with wrong client cert |
August 03, 2016 |
7.1 |
7.50.0 |
CVE-2016-5420 |
CWE-305: Authentication Bypass by Primary Weakness |
| 41 |
use of connection struct after free |
August 03, 2016 |
7.32.0 |
7.50.0 |
CVE-2016-5421 |
CWE-416: Use After Free |
| 40 |
Windows DLL hijacking |
May 30, 2016 |
7.11.1 |
7.49.0 |
CVE-2016-4802 |
CWE-94: Improper Control of Generation of Code ('Code Injection') |
| 39 |
TLS certificate check bypass with mbedTLS/PolarSSL |
May 18, 2016 |
7.21.0 |
7.48.0 |
CVE-2016-3739 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 38 |
remote file name path traversal in curl tool for Windows |
January 27, 2016 |
7.20.0 |
7.46.0 |
CVE-2016-0754 |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| 37 |
NTLM credentials not-checked for proxy connection re-use |
January 27, 2016 |
7.10.7 |
7.46.0 |
CVE-2016-0755 |
CWE-305: Authentication Bypass by Primary Weakness |
| 36 |
SMB send off unrelated memory contents |
June 17, 2015 |
7.40.0 |
7.42.1 |
CVE-2015-3237 |
CWE-126: Buffer Over-read |
| 35 |
lingering HTTP credentials in connection re-use |
June 17, 2015 |
7.40.0 |
7.42.1 |
CVE-2015-3236 |
CWE-305: Authentication Bypass by Primary Weakness |
| 34 |
sensitive HTTP server headers also sent to proxies |
April 29, 2015 |
7.1 |
7.42.0 |
CVE-2015-3153 |
CWE-201: Information Exposure Through Sent Data |
| 33 |
host name out of boundary memory access |
April 22, 2015 |
7.37.0 |
7.41.0 |
CVE-2015-3144 |
CWE-124: Buffer Underwrite ('Buffer Underflow') |
| 32 |
cookie parser out of boundary memory access |
April 22, 2015 |
7.31.0 |
7.41.0 |
CVE-2015-3145 |
CWE-124: Buffer Underwrite ('Buffer Underflow') |
| 31 |
Negotiate not treated as connection-oriented |
April 22, 2015 |
7.10.6 |
7.41.0 |
CVE-2015-3148 |
CWE-305: Authentication Bypass by Primary Weakness |
| 30 |
Re-using authenticated connection when unauthenticated |
April 22, 2015 |
7.10.6 |
7.41.0 |
CVE-2015-3143 |
CWE-305: Authentication Bypass by Primary Weakness |
| 29 |
darwinssl certificate check bypass |
January 08, 2015 |
7.31.0 |
7.39.0 |
CVE-2014-8151 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 28 |
URL request injection |
January 08, 2015 |
6.0 |
7.39.0 |
CVE-2014-8150 |
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
| 27 |
duphandle read out of bounds |
November 05, 2014 |
7.17.1 |
7.38.0 |
CVE-2014-3707 |
CWE-126: Buffer Over-read |
| 26 |
cookie leak for TLDs |
September 10, 2014 |
7.31.0 |
7.37.1 |
CVE-2014-3620 |
CWE-201: Information Exposure Through Sent Data |
| 25 |
cookie leak with IP address as domain |
September 10, 2014 |
7.1 |
7.37.1 |
CVE-2014-3613 |
CWE-201: Information Exposure Through Sent Data |
| 24 |
not verifying certs for TLS to IP address / Winssl |
March 26, 2014 |
7.26.0 |
7.35.0 |
CVE-2014-2522 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 23 |
not verifying certs for TLS to IP address / Darwinssl |
March 26, 2014 |
7.26.0 |
7.35.0 |
CVE-2014-1263 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 22 |
IP address wildcard certificate validation |
March 26, 2014 |
7.1 |
7.35.0 |
CVE-2014-0139 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 21 |
wrong re-use of connections |
March 26, 2014 |
7.10.7 |
7.35.0 |
CVE-2014-0138 |
CWE-305: Authentication Bypass by Primary Weakness |
| 20 |
re-use of wrong HTTP NTLM connection |
January 29, 2014 |
7.10.6 |
7.34.0 |
CVE-2014-0015 |
CWE-305: Authentication Bypass by Primary Weakness |
| 19 |
cert name check ignore GnuTLS |
December 17, 2013 |
7.21.4 |
7.33.0 |
CVE-2013-6422 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 18 |
cert name check ignore OpenSSL |
November 15, 2013 |
7.18.0 |
7.32.0 |
CVE-2013-4545 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
| 17 |
URL decode buffer boundary flaw |
June 22, 2013 |
7.7 |
7.30.0 |
CVE-2013-2174 |
CWE-126: Buffer Over-read |
| 16 |
cookie domain tailmatch |
April 12, 2013 |
6.0 |
7.29.0 |
CVE-2013-1944 |
CWE-201: Information Exposure Through Sent Data |
| 15 |
SASL buffer overflow |
February 06, 2013 |
7.26.0 |
7.28.1 |
CVE-2013-0249 |
CWE-121: Stack-based Buffer Overflow |
| 14 |
SSL CBC IV vulnerability |
January 24, 2012 |
7.10.6 |
7.23.1 |
CVE-2011-3389 |
CWE-924: Improper Enforcement of Message Integrity |
| 13 |
URL sanitization vulnerability |
January 24, 2012 |
7.20.0 |
7.23.1 |
CVE-2012-0036 |
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| 12 |
inappropriate GSSAPI delegation |
June 23, 2011 |
7.10.6 |
7.21.6 |
CVE-2011-2192 |
CWE-281: Improper Preservation of Permissions |
| 11 |
local file overwrite |
October 13, 2010 |
7.20.0 |
7.21.1 |
CVE-2010-3842 |
CWE-30: Path Traversal |
| 10 |
data callback excessive length |
February 09, 2010 |
7.10.5 |
7.19.7 |
CVE-2010-0734 |
CWE-628: Function Call with Incorrectly Specified Arguments |
| 9 |
embedded zero in cert name |
August 12, 2009 |
7.4 |
7.19.5 |
CVE-2009-2417 |
CWE-170: Improper Null Termination |
| 8 |
Arbitrary File Access |
March 03, 2009 |
6.0 |
7.19.3 |
CVE-2009-0037 |
CWE-142: Improper Neutralization of Value Delimiters |
| 7 |
GnuTLS insufficient cert verification |
July 10, 2007 |
7.14.0 |
7.16.3 |
CVE-2007-3564 |
CWE-298: Improper Validation of Certificate Expiration |
| 6 |
TFTP Packet Buffer Overflow |
March 20, 2006 |
7.15.0 |
7.15.2 |
CVE-2006-1061 |
CWE-122: Heap-based Buffer Overflow |
| 5 |
URL Buffer Overflow |
December 07, 2005 |
7.11.2 |
7.15.0 |
CVE-2005-4077 |
CWE-122: Heap-based Buffer Overflow |
| 4 |
NTLM Buffer Overflow |
October 13, 2005 |
7.10.6 |
7.14.1 |
CVE-2005-3185 |
CWE-121: Stack-based Buffer Overflow |
| 3 |
Authentication Buffer Overflows |
February 21, 2005 |
7.3 |
7.13.0 |
CVE-2005-0490 |
CWE-121: Stack-based Buffer Overflow |
| 2 |
Proxy Authentication Header Information Leakage |
August 03, 2003 |
7.1 |
7.10.6 |
CVE-2003-1605 |
CWE-201: Information Exposure Through Sent Data |
| 1 |
FTP Server Response Buffer Overflow |
October 13, 2000 |
6.0 |
7.4 |
CVE-2000-0973 |
CWE-121: Stack-based Buffer Overflow |