Docs Overview
Project
Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Known Risks Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Verify Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Vulnerability table / 7.50.1 vulnerabilities

Vulnerabilities in curl 7.50.1

Related:
Audits
Changelog
curl CVEs
Vulnerability Disclosure
Vulnerabilities Table

curl version 7.50.1 was released on August 3 2016

It has the following 92 published security problems.

SFlawFirstLast
MCVE-2026-11856: cross-origin Digest auth state leak7.10.68.20.0
LCVE-2026-8932: incomplete mTLS config matching in conn reuse7.78.20.0
MCVE-2026-8927: env-set cross-proxy Digest auth state leak7.12.08.20.0
LCVE-2026-8924: trailing dot domain super cookie7.46.08.20.0
LCVE-2026-8458: wrong reuse for different services7.43.08.20.0
LCVE-2026-8286: wrong STARTTLS connection reuse7.30.08.20.0
MCVE-2026-7168: cross-proxy Digest auth state leak7.12.08.19.0
MCVE-2026-6429: netrc credential leak with reused proxy connection7.14.08.19.0
MCVE-2026-6253: proxy credentials leak over redirect-to proxy7.14.18.19.0
LCVE-2026-5773: wrong reuse of SMB connection7.40.08.19.0
MCVE-2026-5545: wrong reuse of HTTP Negotiate connection7.10.68.19.0
LCVE-2026-4873: connection reuse ignores TLS requirement7.20.08.19.0
LCVE-2026-3784: wrong proxy connection reuse with credentials7.78.18.0
MCVE-2026-3783: token leak with redirect and netrc7.33.08.18.0
MCVE-2026-1965: bad reuse of HTTP Negotiate connection7.10.68.18.0
LCVE-2025-14524: bearer token leak on cross-protocol redirect7.33.08.17.0
MCVE-2025-14017: broken TLS options for threaded LDAPS7.17.08.17.0
LCVE-2025-0725: gzip integer overflow7.10.58.11.1
MCVE-2024-8096: OCSP stapling bypass with GnuTLS7.41.08.9.1
LCVE-2024-7264: ASN.1 date parser overread7.32.08.9.0
MCVE-2024-2398: HTTP/2 push headers memory-leak7.44.08.6.0
MCVE-2023-46218: cookie mixed case PSL bypass7.46.08.4.0
LCVE-2023-38546: cookie injection with none file7.9.18.3.0
LCVE-2023-28322: more POST-after-PUT confusion7.78.0.1
LCVE-2023-28321: IDN wildcard match7.12.08.0.1
LCVE-2023-28320: siglongjmp race condition7.9.88.0.1
LCVE-2023-27538: SSH connection too eager reuse still7.16.17.88.1
LCVE-2023-27536: GSS delegation too eager connection reuse7.22.07.88.1
MCVE-2023-27535: FTP too eager connection reuse7.13.07.88.1
LCVE-2023-27534: SFTP path ~ resolving discrepancy7.18.07.88.1
LCVE-2023-27533: TELNET option IAC injection7.77.88.1
LCVE-2022-43552: HTTP Proxy deny use after free7.16.07.86.0
MCVE-2022-32221: POST following PUT confusion7.77.85.0
LCVE-2022-35252: control code in cookie denial of service4.97.84.0
LCVE-2022-32208: FTP-KRB bad message verification7.16.47.83.1
MCVE-2022-27782: TLS and SSH connection too eager reuse7.16.17.83.0
LCVE-2022-27781: CERTINFO never-ending busy-loop7.34.07.83.0
LCVE-2022-27776: Auth/cookie leak on redirect4.97.82.0
MCVE-2022-27774: Credential leak on redirect4.97.82.0
MCVE-2022-22576: OAUTH2 bearer bypass in connection reuse7.33.07.82.0
MCVE-2021-22947: STARTTLS protocol injection via MITM7.20.07.78.0
MCVE-2021-22946: Protocol downgrade required TLS bypassed7.20.07.78.0
MCVE-2021-22926: CURLOPT_SSLCERT mix-up with Secure Transport7.33.07.77.0
MCVE-2021-22925: TELNET stack contents disclosure again7.77.77.0
MCVE-2021-22924: Bad connection reuse due to flawed path name checks7.10.47.77.0
MCVE-2021-22923: Metalink download sends credentials7.27.07.77.0
MCVE-2021-22922: Wrong content via Metalink not discarded7.27.07.77.0
MCVE-2021-22898: TELNET stack contents disclosure7.77.76.1
LCVE-2021-22876: Automatic referer leaks credentials7.1.17.75.0
MCVE-2020-8286: Inferior OCSP verification7.41.07.73.0
MCVE-2020-8285: FTP wildcard stack overflow7.21.07.73.0
LCVE-2020-8284: trusting FTP PASV responses4.07.73.0
LCVE-2020-8231: wrong connect-only connection7.29.07.71.1
MCVE-2020-8177: curl overwrite local file with -J7.20.07.70.0
MCVE-2019-5482: TFTP small blocksize heap buffer overflow7.19.47.65.3
HCVE-2019-5443: Windows OpenSSL engine code injection7.44.07.65.1
LCVE-2019-5436: TFTP receive buffer overflow7.19.47.64.1
MCVE-2018-16890: NTLM type-2 out-of-bounds buffer read7.36.07.63.0
HCVE-2019-3822: NTLMv2 type-3 header stack buffer overflow7.36.07.63.0
LCVE-2019-3823: SMTP end-of-response out-of-bounds read7.34.07.63.0
LCVE-2018-16842: warning message out-of-buffer read7.14.17.61.1
LCVE-2018-16839: SASL password overflow via integer overflow7.33.07.61.1
HCVE-2018-14618: NTLM password overflow via integer overflow7.15.47.61.0
MCVE-2018-1000301: RTSP bad headers buffer over-read7.20.07.59.0
MCVE-2018-1000122: RTSP RTP buffer over-read7.20.07.58.0
LCVE-2018-1000121: LDAP NULL pointer dereference7.21.07.58.0
HCVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write7.12.37.58.0
LCVE-2018-1000007: HTTP authentication leak in redirects6.07.57.0
LCVE-2018-1000005: HTTP/2 trailer out-of-bounds read7.49.07.57.0
MCVE-2017-8817: FTP wildcard out of bounds read7.21.07.56.1
MCVE-2017-8816: NTLM buffer overflow via integer overflow7.36.07.56.1
MCVE-2017-1000257: IMAP FETCH response out of bounds read7.20.07.56.0
MCVE-2017-1000254: FTP PWD response parser out of bounds read7.77.55.1
MCVE-2017-1000101: URL globbing out of bounds read7.34.07.54.1
HCVE-2017-1000100: TFTP sends more than buffer size7.15.07.54.1
MCVE-2017-7407: --write-out out of buffer read6.57.53.1
MCVE-2016-9586: printf floating point buffer overflow5.47.51.0
MCVE-2016-9952: Win CE Schannel cert wildcard matches too much7.27.07.51.0
MCVE-2016-9953: Win CE Schannel cert name out of buffer read7.27.07.51.0
HCVE-2016-8615: cookie injection for other servers4.97.50.3
MCVE-2016-8616: case insensitive password comparison7.77.50.3
MCVE-2016-8617: OOB write via unchecked multiplication7.8.17.50.3
MCVE-2016-8618: double free in curl_maprintf5.47.50.3
HCVE-2016-8619: double free in krb5 code7.37.50.3
MCVE-2016-8620: glob parser write/read out of bounds7.34.07.50.3
MCVE-2016-8621: curl_getdate read out of bounds7.12.27.50.3
MCVE-2016-8622: URL unescape heap overflow via integer truncation7.24.07.50.3
HCVE-2016-8623: Use after free via shared cookies7.10.77.50.3
MCVE-2016-8624: invalid URL parsing with '#'6.07.50.3
HCVE-2016-8625: IDNA 2003 makes curl use wrong host7.12.07.50.3
MCVE-2016-7167: curl escape and unescape integer overflows7.11.17.50.2
HCVE-2016-7141: Incorrect reuse of client certificates7.19.67.50.1

Further details

CVE data for 7.50.1 provided as JSON.

Changelog for curl 7.50.1

See vulnerability summary for the previous release: 7.50.0 or the subsequent release: 7.50.2