We take security seriously and develop curl and libcurl to be secure and safe.
If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.
We appreciate getting notified in advance before you go public with security advisories for the sake of our users. We disclose security vulnerabilities in association with our fixes for them.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
Trail of Bits performed a security audit of curl source code and internals during the fall of 2022, summed up in these PDF documents. Published December 21, 2022.
- Threat Model Report & Fix Review (43 pages)
- Code Review & Testing Analysis (58 pages)
Retracted security vulnerabilities
Issues no longer considered curl security problems:
- CVE-2019-15601 - SMB access smuggling via FILE URL on Windows
curl vulnerabilities data as a CSV
vuln.csv has all the info as the table above in a more machine friendly format.