Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog Release Table Security Problems Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial
Who and Why
Companies Copyright Sponsors Thanks The name
On March 20, 2023 curl turns 25 years old. Celebrate with us online.
curl / Docs / Releases / Security

Security

Related:
Bug Bounty
Changelog
Donate
FAQ
Security Problems
Security Process
Vulnerabilities Table

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Security audit

Trail of Bits performed a security audit of curl source code and internals during the fall of 2022, summed up in these PDF documents. Published December 21, 2022.

Past vulnerabilities

# S Vulnerability Date First Last
141
CVE-2023-27538: SSH connection too eager reuse still 2023-03-20 7.16.1 7.88.1
140
CVE-2023-27537: HSTS double-free 2023-03-20 7.88.0 7.88.1
139
CVE-2023-27536: GSS delegation too eager connection re-use 2023-03-20 7.22.0 7.88.1
138
CVE-2023-27535: FTP too eager connection reuse 2023-03-20 7.13.0 7.88.1
137
CVE-2023-27534: SFTP path ~ resolving discrepancy 2023-03-20 7.18.0 7.88.1
136
CVE-2023-27533: TELNET option IAC injection 2023-03-20 7.7 7.88.1
135
CVE-2023-23916: HTTP multi-header compression denial of service 2023-02-15 7.57.0 7.87.0
134
CVE-2023-23915: HSTS amnesia with --parallel 2023-02-15 7.77.0 7.87.0
133
CVE-2023-23914: HSTS ignored on multiple requests 2023-02-15 7.77.0 7.87.0
132
CVE-2022-43552: HTTP Proxy deny use-after-free 2022-12-21 7.16.0 7.86.0
131
CVE-2022-43551: Another HSTS bypass via IDN 2022-12-21 7.77.0 7.86.0
130
CVE-2022-42916: HSTS bypass via IDN 2022-10-26 7.77.0 7.85.0
129
CVE-2022-42915: HTTP proxy double-free 2022-10-26 7.77.0 7.85.0
128
CVE-2022-35260: .netrc parser out-of-bounds access 2022-10-26 7.84.0 7.85.0
127
CVE-2022-32221: POST following PUT confusion 2022-10-26 7.7 7.85.0
126
CVE-2022-35252: control code in cookie denial of service 2022-08-31 4.9 7.84.0
125
CVE-2022-32208: FTP-KRB bad message verification 2022-06-27 7.16.4 7.83.1
124
CVE-2022-32207: Unpreserved file permissions 2022-06-27 7.69.0 7.83.1
123
CVE-2022-32206: HTTP compression denial of service 2022-06-27 7.57.0 7.83.1
122
CVE-2022-32205: Set-Cookie denial of service 2022-06-27 7.71.0 7.83.1
121
CVE-2022-30115: HSTS bypass via trailing dot 2022-05-11 7.82.0 7.83.0
120
CVE-2022-27782: TLS and SSH connection too eager reuse 2022-05-11 7.16.1 7.83.0
119
CVE-2022-27781: CERTINFO never-ending busy-loop 2022-05-11 7.34.0 7.83.0
118
CVE-2022-27780: percent-encoded path separator in URL host 2022-05-11 7.80.0 7.83.0
117
CVE-2022-27779: cookie for trailing dot TLD 2022-05-11 7.82.0 7.83.0
116
CVE-2022-27778: curl removes wrong file on error 2022-05-11 7.83.0 7.83.0
115
CVE-2022-27776: Auth/cookie leak on redirect 2022-04-27 4.9 7.82.0
114
CVE-2022-27775: Bad local IPv6 connection reuse 2022-04-27 7.65.0 7.82.0
113
CVE-2022-27774: Credential leak on redirect 2022-04-27 4.9 7.82.0
112
CVE-2022-22576: OAUTH2 bearer bypass in connection re-use 2022-04-27 7.33.0 7.82.0
111
CVE-2021-22947: STARTTLS protocol injection via MITM 2021-09-15 7.20.0 7.78.0
110
CVE-2021-22946: Protocol downgrade required TLS bypassed 2021-09-15 7.20.0 7.78.0
109
CVE-2021-22945: UAF and double-free in MQTT sending 2021-09-15 7.73.0 7.78.0
108
CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport 2021-07-21 7.33.0 7.77.0
107
CVE-2021-22925: TELNET stack contents disclosure again 2021-07-21 7.7 7.77.0
106
CVE-2021-22924: Bad connection reuse due to flawed path name checks 2021-07-21 7.10.4 7.77.0
105
CVE-2021-22923: Metalink download sends credentials 2021-07-21 7.27.0 7.77.0
104
CVE-2021-22922: Wrong content via metalink not discarded 2021-07-21 7.27.0 7.77.0
103
CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1
102
CVE-2021-22898: TELNET stack contents disclosure 2021-05-26 7.7 7.76.1
101
CVE-2021-22897: schannel cipher selection surprise 2021-05-26 7.61.0 7.76.1
100
CVE-2021-22890: TLS 1.3 session ticket proxy host mixup 2021-03-31 7.63.0 7.75.0
99
CVE-2021-22876: Automatic referer leaks credentials 2021-03-31 7.1.1 7.75.0
98
CVE-2020-8286: Inferior OCSP verification 2020-12-09 7.41.0 7.73.0
97
CVE-2020-8285: FTP wildcard stack overflow 2020-12-09 7.21.0 7.73.0
96
CVE-2020-8284: trusting FTP PASV responses 2020-12-09 4.0 7.73.0
95
CVE-2020-8231: wrong connect-only connection 2020-08-19 7.29.0 7.71.1
94
CVE-2020-8177: curl overwrite local file with -J 2020-06-24 7.20.0 7.70.0
93
CVE-2020-8169: Partial password leak over DNS on HTTP redirect 2020-06-24 7.62.0 7.70.0
92
CVE-2019-5481: FTP-KRB double-free 2019-09-11 7.52.0 7.65.3
91
CVE-2019-5482: TFTP small blocksize heap buffer overflow 2019-09-11 7.19.4 7.65.3
90
CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.61.0 7.65.1
89
CVE-2019-5436: TFTP receive buffer overflow 2019-05-22 7.19.4 7.64.1
88
CVE-2019-5435: Integer overflows in curl_url_set 2019-05-22 7.62.0 7.64.1
87
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read 2019-02-06 7.36.0 7.63.0
86
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
85
CVE-2019-3823: SMTP end-of-response out-of-bounds read 2019-02-06 7.34.0 7.63.0
84
CVE-2018-16842: warning message out-of-buffer read 2018-10-31 7.14.1 7.61.1
83
CVE-2018-16840: use-after-free in handle close 2018-10-31 7.59.0 7.61.1
82
CVE-2018-16839: SASL password overflow via integer overflow 2018-10-31 7.33.0 7.61.1
81
CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80
CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79
CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
78
CVE-2018-1000301: RTSP bad headers buffer over-read 2018-05-16 7.20.0 7.59.0
77
CVE-2018-1000122: RTSP RTP buffer over-read 2018-03-14 7.20.0 7.58.0
76
CVE-2018-1000121: LDAP NULL pointer dereference 2018-03-14 7.21.0 7.58.0
75
CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
74
CVE-2018-1000007: HTTP authentication leak in redirects 2018-01-24 6.0 7.57.0
73
CVE-2018-1000005: HTTP/2 trailer out-of-bounds read 2018-01-24 7.49.0 7.57.0
72   CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
71   CVE-2017-8817: FTP wildcard out of bounds read 2017-11-29 7.21.0 7.56.1
70   CVE-2017-8816: NTLM buffer overflow via integer overflow 2017-11-29 7.36.0 7.56.1
69   CVE-2017-1000257: IMAP FETCH response out of bounds read 2017-10-12 7.20.0 7.56.0
68   CVE-2017-1000254: FTP PWD response parser out of bounds read 2017-10-04 7.7 7.55.1
67   CVE-2017-1000101: URL globbing out of bounds read 2017-08-09 7.34.0 7.54.1
66   CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
65   CVE-2017-1000099: FILE buffer read out of bounds 2017-08-09 7.54.1 7.54.1
64   CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63   CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
62   CVE-2017-7407: --write-out out of buffer read 2017-04-03 6.5 7.53.1
61   CVE-2017-2629: SSL_VERIFYSTATUS ignored 2017-02-22 7.52.0 7.52.1
60   CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
59   CVE-2016-9586: printf floating point buffer overflow 2016-12-21 5.4 7.51.0
58   CVE-2016-9952: Win CE schannel cert wildcard matches too much 2016-12-21 7.30.0 7.51.0
57   CVE-2016-9953: Win CE schannel cert name out of buffer read 2016-12-21 7.30.0 7.51.0
56   CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
55   CVE-2016-8616: case insensitive password comparison 2016-11-02 7.7 7.50.3
54   CVE-2016-8617: OOB write via unchecked multiplication 2016-11-02 7.3 7.50.3
53   CVE-2016-8618: double-free in curl_maprintf 2016-11-02 5.4 7.50.3
52   CVE-2016-8619: double-free in krb5 code 2016-11-02 7.3 7.50.3
51   CVE-2016-8620: glob parser write/read out of bounds 2016-11-02 7.34.0 7.50.3
50   CVE-2016-8621: curl_getdate read out of bounds 2016-11-02 7.12.2 7.50.3
49   CVE-2016-8622: URL unescape heap overflow via integer truncation 2016-11-02 7.24.0 7.50.3
48   CVE-2016-8623: Use-after-free via shared cookies 2016-11-02 7.10.7 7.50.3
47   CVE-2016-8624: invalid URL parsing with '#' 2016-11-02 6.0 7.50.3
46   CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
45   CVE-2016-7167: curl escape and unescape integer overflows 2016-09-14 7.11.1 7.50.2
44   CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43   CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
42   CVE-2016-5420: Re-using connections with wrong client cert 2016-08-03 7.7 7.50.0
41   CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40   CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39   CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38   CVE-2016-0754: remote file name path traversal in curl tool for Windows 2016-01-27 7.20.0 7.46.0
37   CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use 2016-01-27 7.10.7 7.46.0
36   CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35   CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34   CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
33   CVE-2015-3144: host name out of boundary memory access 2015-04-22 7.37.0 7.41.0
32   CVE-2015-3145: cookie parser out of boundary memory access 2015-04-22 7.31.0 7.41.0
31   CVE-2015-3148: Negotiate not treated as connection-oriented 2015-04-22 7.10.6 7.41.0
30   CVE-2015-3143: Re-using authenticated connection when unauthenticated 2015-04-22 7.10.6 7.41.0
29   CVE-2014-8151: darwinssl certificate check bypass 2015-01-08 7.31.0 7.39.0
28   CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
27   CVE-2014-3707: duphandle read out of bounds 2014-11-05 7.17.1 7.38.0
26   CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
25   CVE-2014-3613: cookie leak with IP address as domain 2014-09-10 4.0 7.37.1
24   CVE-2014-2522: not verifying certs for TLS to IP address / Winssl 2014-03-26 7.26.0 7.35.0
23   CVE-2014-1263: not verifying certs for TLS to IP address / Darwinssl 2014-03-26 7.26.0 7.35.0
22   CVE-2014-0139: IP address wildcard certificate validation 2014-03-26 7.10.3 7.35.0
21   CVE-2014-0138: wrong re-use of connections 2014-03-26 7.10.7 7.35.0
20   CVE-2014-0015: re-use of wrong HTTP NTLM connection 2014-01-29 7.10.6 7.34.0
19   CVE-2013-6422: cert name check ignore GnuTLS 2013-12-17 7.21.4 7.33.0
18   CVE-2013-4545: cert name check ignore OpenSSL 2013-11-15 7.18.0 7.32.0
17   CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16   CVE-2013-1944: cookie domain tailmatch 2013-04-12 6.0 7.29.0
15   CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14   CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13   CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
12   CVE-2011-2192: inappropriate GSSAPI delegation 2011-06-23 7.10.6 7.21.6
11   CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10   CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9   CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
8   CVE-2009-0037: Arbitrary File Access 2009-03-03 6.0 7.19.3
7   CVE-2007-3564: GnuTLS insufficient cert verification 2007-07-10 7.14.0 7.16.3
6   CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5   CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4   CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3   CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2   CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1   CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

Retracted security vulnerabilities

Issues no longer considered curl security problems:

curl vulnerabilities data as a CSV

vuln.csv has all the info as the table above in a more machine friendly format.