If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Published vulnerabilitiesAll | Medium+ | High+ | Critical
(The table below shows vulnerabilities of all severity levels)
The flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE and UNINIT.
Retracted security vulnerabilities
Issues no longer considered curl security problems:
Bogus security vulnerabilities
Issues filed by others that are plain lies:
curl vulnerability data
Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.
The JSON output follows the Open Source Vulnerability format