[ { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14524", "aliases": [ "CVE-2025-14524" ], "summary": "bearer token leak on cross-protocol redirect", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-14524.json", "www": "https://curl.se/docs/CVE-2025-14524.html", "issue": "https://hackerone.com/reports/3459417", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"}, {"fixed": "1a822275d333dc6da6043497160fd04c8fa48640"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "anonymous237 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14017", "aliases": [ "CVE-2025-14017" ], "summary": "broken TLS options for threaded LDAPS", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-14017.json", "www": "https://curl.se/docs/CVE-2025-14017.html", "CWE": { "id": "CWE-567", "desc": "Unsynchronized Access to Shared Data in a Multi-threaded Context" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Medium" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.17.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34"}, {"fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0725", "aliases": [ "CVE-2025-0725" ], "summary": "gzip integer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0725.json", "www": "https://curl.se/docs/CVE-2025-0725.html", "issue": "https://hackerone.com/reports/2956023", "CWE": { "id": "CWE-680", "desc": "Integer Overflow to Buffer Overflow" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "019c4088cfcca0d2b7c5cc4f52ca5dac0c616089"}, {"fixed": "76f83f0db23846e254d940ec7fe141010077eb88"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-8096", "aliases": [ "CVE-2024-8096" ], "summary": "OCSP stapling bypass with GnuTLS", "modified": "2024-10-24T18:05:41.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-8096.json", "www": "https://curl.se/docs/CVE-2024-8096.html", "issue": "https://hackerone.com/reports/2669852", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.9.1", "severity": "Medium" }, "published": "2024-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.41.0"}, {"fixed": "8.10.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f13669a375f5bfd14797bda91642cabe076974fa"}, {"fixed": "aeb1a281cab13c7ba791cb104e556b20e713941f"} ] } ], "versions": [ "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as OCSP stapling, to verify that the server certificate is valid,\nit might fail to detect some OCSP problems and instead wrongly consider the\nresponse as fine.\n\nIf the returned status reports another error than \"revoked\" (like for example\n\"unauthorized\") it is not treated as a bad certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-7264", "aliases": [ "CVE-2024-7264" ], "summary": "ASN.1 date parser overread", "modified": "2024-07-31T09:57:12.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-7264.json", "www": "https://curl.se/docs/CVE-2024-7264.html", "issue": "https://hackerone.com/reports/2629968", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.9.0", "severity": "Low" }, "published": "2024-07-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.32.0"}, {"fixed": "8.9.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d"}, {"fixed": "27959ecce75cdb2809c0bdb3286e60e08fadb519"} ] } ], "versions": [ "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0" ] } ], "credits": [ { "name": "Dov Murik (Transmit Security)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2398", "aliases": [ "CVE-2024-2398" ], "summary": "HTTP/2 push headers memory-leak", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2024-2398.json", "www": "https://curl.se/docs/CVE-2024-2398.html", "issue": "https://hackerone.com/reports/2402845", "CWE": { "id": "CWE-772", "desc": "Missing Release of Resource after Effective Lifetime" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Medium" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.44.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ea7134ac874a66107e54ff93657ac565cf2ec4aa"}, {"fixed": "deca8039991886a559b67bcd6701db800a5cf764"} ] } ], "versions": [ "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an application tells libcurl it wants to allow HTTP/2 server push, and\nthe amount of received headers for the push surpasses the maximum allowed\nlimit (1000), libcurl aborts the server push. When aborting, libcurl\ninadvertently does not free all the previously allocated headers and instead\nleaks the memory.\n\nFurther, this error condition fails silently and is therefore not easily\ndetected by an application." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-46218", "aliases": [ "CVE-2023-46218" ], "summary": "cookie mixed case PSL bypass", "modified": "2024-01-12T23:40:27.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-46218.json", "www": "https://curl.se/docs/CVE-2023-46218.html", "issue": "https://hackerone.com/reports/2212193", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.4.0", "severity": "Medium" }, "published": "2023-12-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.46.0"}, {"fixed": "8.5.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e77b5b7453c1e8ccd7ec0816890d98e2f392e465"}, {"fixed": "2b0994c29a721c91c572cff7808c572a24d251eb"} ] } ], "versions": [ "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a\nlowercase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL\ndomain." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38546", "aliases": [ "CVE-2023-38546" ], "summary": "cookie injection with none file", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-38546.json", "www": "https://curl.se/docs/CVE-2023-38546.html", "issue": "https://hackerone.com/reports/2148242", "CWE": { "id": "CWE-73", "desc": "External Control of filename or Path" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.3.0", "severity": "Low" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.1"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "74d5a6fb3b9a96d9fa51ba90996e94c878ebd151"}, {"fixed": "61275672b46d9abb3285740467b882e22ed75da8"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows an attacker to intentionally inject cookies into a running\nprogram using libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates an easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the filename as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl, when using the correct file format of course." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28322", "aliases": [ "CVE-2023-28322" ], "summary": "more POST-after-PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28322.json", "www": "https://curl.se/docs/CVE-2023-28322.html", "issue": "https://hackerone.com/reports/1954658", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "7815647d6582c0a4900be2e1de6c5e61272c496b"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the second\ntransfer.\n\nThe problem exists in the logic for a reused handle when it is (expected to\nbe) changed from a PUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28321", "aliases": [ "CVE-2023-28321" ], "summary": "IDN wildcard match", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-28321.json", "www": "https://curl.se/docs/CVE-2023-28321.html", "issue": "https://hackerone.com/reports/1950627", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.0"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9631fa740708b1890197fad01e25b34b7e8eb80e"}, {"fixed": "199f2d440d8659b42670c1b796220792b01a97bf"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports matching of wildcard patterns when listed as \"Subject\nAlternative Name\" in TLS server certificates. curl can be built to use its own\nname matching function for TLS rather than one provided by a TLS library. This\nprivate wildcard matching function would match IDN (International Domain Name)\nhosts incorrectly and could as a result accept patterns that otherwise should\nmismatch.\n\nIDN hostnames are converted to puny code before used for certificate\nchecks. Puny coded names always start with `xn--` and should not be allowed to\npattern match, but the wildcard check in curl could still check for `x*`,\nwhich would match even though the IDN name most likely contained nothing even\nresembling an `x`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28320", "aliases": [ "CVE-2023-28320" ], "summary": "siglongjmp race condition", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28320.json", "www": "https://curl.se/docs/CVE-2023-28320.html", "issue": "https://hackerone.com/reports/1929597", "CWE": { "id": "CWE-662", "desc": "Improper Synchronization" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.8"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3c49b405de4fbf1fd7127f91908261268640e54f"}, {"fixed": "13718030ad4b3209a7583b4f27f683cd3a6fa5f2"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides several different backends for resolving hostnames, selected\nat build time. If it is built to use the synchronous resolver, it allows name\nresolves to time-out slow operations using `alarm()` and `siglongjmp()`.\n\nWhen doing this, libcurl used a global buffer that was not mutex protected and\na multi-threaded application might therefore crash or otherwise misbehave." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27538", "aliases": [ "CVE-2023-27538" ], "summary": "SSH connection too eager reuse still", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27538.json", "www": "https://curl.se/docs/CVE-2023-27538.html", "issue": "https://hackerone.com/reports/1898475", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.1"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2147284cad624325f5b0034c2f394db62086d9e6"}, {"fixed": "af369db4d3833272b8ed443f7fcc2e757a0872eb"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when an SSH related\noption had been changed that should have prohibited reuse.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, two SSH settings\nwere left out from the configuration match checks, making them match too\neasily." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27536", "aliases": [ "CVE-2023-27536" ], "summary": "GSS delegation too eager connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-27536.json", "www": "https://curl.se/docs/CVE-2023-27536.html", "issue": "https://hackerone.com/reports/1895135", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.22.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ebf42c4be76df40ec6d3bf32f229bbb274e2c32f"}, {"fixed": "cb49e67303dbafbab1cebf4086e3ec15b7d56ee5"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when the GSS\ndelegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could\nhave changed the user's permissions in a second transfer.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, this GSS\ndelegation setting was left out from the configuration match checks, making\nthem match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27535", "aliases": [ "CVE-2023-27535" ], "summary": "FTP too eager connection reuse", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27535.json", "www": "https://curl.se/docs/CVE-2023-27535.html", "issue": "https://hackerone.com/reports/1892780", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Medium" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.13.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "177dbc7be07125582ddb7416dba7140b88ab9f62"}, {"fixed": "8f4608468b890dce2dad9f91d5607ee7e9c1aba1"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created FTP connection even when one or more\noptions had been changed that could have made the effective user a different\none, thus leading to doing the second transfer with the wrong credentials.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, several FTP\nsettings were left out from the configuration match checks, making them match\ntoo easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`,\n`CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL`\nlevel." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27534", "aliases": [ "CVE-2023-27534" ], "summary": "SFTP path ~ resolving discrepancy", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27534.json", "www": "https://curl.se/docs/CVE-2023-27534.html", "issue": "https://hackerone.com/reports/1892351", "CWE": { "id": "CWE-22", "desc": "Improper Limitation of a Pathname to a Restricted Directory" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.18.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ba6f20a2442ab1ebfe947cff19a552f92114a29a"}, {"fixed": "4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports SFTP transfers. curl's SFTP implementation offers a special\nfeature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home\ndirectory. This is supported because of wording in the [once proposed\nto-become RFC\ndraft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)\nthat was to dictate how SFTP URLs work.\n\nDue to a bug, the handling of the tilde in SFTP path did however not only\nreplace it when it is used stand-alone as the first path element but also\nwrongly when used as a mere prefix in the first element.\n\nUsing a path like `/~2/foo` when accessing a server using the user `dan` (with\nhome directory `/home/dan`) would then quite surprisingly access the file\n`/home/dan2/foo`.\n\nThis can be taken advantage of to circumvent filtering or worse." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27533", "aliases": [ "CVE-2023-27533" ], "summary": "TELNET option IAC injection", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27533.json", "www": "https://curl.se/docs/CVE-2023-27533.html", "issue": "https://hackerone.com/reports/1891474", "CWE": { "id": "CWE-75", "desc": "Failure to Sanitize Special Elements into a Different Plane" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "538b1e79a6e7b0bb829ab4cecc828d32105d0684"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports communicating using the TELNET protocol and as a part of this it\noffers users to pass on username and \"telnet options\" for the server\nnegotiation.\n\nDue to lack of proper input scrubbing and without it being the documented\nfunctionality, curl would pass on username and telnet options to the server\nas provided. This could allow users to pass in carefully crafted content that\npass on content or do option negotiation without the application intending to\ndo so. In particular if an application for example allows users to provide the\ndata or parts of the data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-43552", "aliases": [ "CVE-2022-43552" ], "summary": "HTTP Proxy deny use after free", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-43552.json", "www": "https://curl.se/docs/CVE-2022-43552.html", "issue": "https://hackerone.com/reports/1764858", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "7.86.0", "severity": "Low" }, "published": "2022-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.0"}, {"fixed": "7.87.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b7eeb6e67fca686f840eacd6b8394edb58b07482"}, {"fixed": "4f20188ac644afe174be6005ef4f6ffba232b8b2"} ] } ], "versions": [ "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0" ] } ], "credits": [ { "name": "Trail of Bits", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be asked to *tunnel* virtually all protocols it supports through an\nHTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using\nan appropriate HTTP error response code.\n\nWhen getting denied to tunnel the specific protocols SMB or TELNET, curl would\nuse a heap-allocated struct after it had been freed, in its transfer shutdown\ncode path." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32221", "aliases": [ "CVE-2022-32221" ], "summary": "POST following PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2022-32221.json", "www": "https://curl.se/docs/CVE-2022-32221.html", "issue": "https://hackerone.com/reports/1704017", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.85.0", "severity": "Medium" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "a64e3e59938abd7d667e4470a18072a24d7e9de9"} ] } ], "versions": [ "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Robby Simpson", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the subsequent\n`POST` request.\n\nThe problem exists in the logic for a reused handle when it is changed from a\nPUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-35252", "aliases": [ "CVE-2022-35252" ], "summary": "control code in cookie denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-35252.json", "www": "https://curl.se/docs/CVE-2022-35252.html", "issue": "https://hackerone.com/reports/1613943", "CWE": { "id": "CWE-1286", "desc": "Improper Validation of Syntactic Correctness of Input" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.84.0", "severity": "Low" }, "published": "2022-08-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.85.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8dfc93e573ca740544a2d79ebb0ed786592c65c3"} ] } ], "versions": [ "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl retrieves and parses cookies from an HTTP(S) server, it accepts\ncookies using control codes (byte values below 32). When cookies that contain\nsuch control codes are later sent back to an HTTP(S) server, it might make the\nserver return a 400 response. Effectively allowing a \"sister site\" to deny\nservice to siblings." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32208", "aliases": [ "CVE-2022-32208" ], "summary": "FTP-KRB bad message verification", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-32208.json", "www": "https://curl.se/docs/CVE-2022-32208.html", "issue": "https://hackerone.com/reports/1590071", "CWE": { "id": "CWE-924", "desc": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.83.1", "severity": "Low" }, "published": "2022-06-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.4"}, {"fixed": "7.84.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "54967d2a3ab5559631407f7b7f67ef48c2dda6dd"}, {"fixed": "6ecdf5136b52af747e7bda08db9a748256b1cd09"} ] } ], "versions": [ "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl does FTP transfers secured by krb5, it handles message verification\nfailures wrongly. This flaw makes it possible for a Man-In-The-Middle attack\nto go unnoticed and even allows it to inject data to the client." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27782", "aliases": [ "CVE-2022-27782" ], "summary": "TLS and SSH connection too eager reuse", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27782.json", "www": "https://curl.se/docs/CVE-2022-27782.html", "issue": "https://hackerone.com/reports/1555796", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.1"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2147284cad624325f5b0034c2f394db62086d9e6"}, {"fixed": "1645e9b44505abd5cbaf65da5282c3f33b5924a5"} ] } ], "versions": [ "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when a TLS or SSH\nrelated option had been changed that should have prohibited reuse.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, several TLS and\nSSH settings were left out from the configuration match checks, making them\nmatch too easily." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27781", "aliases": [ "CVE-2022-27781" ], "summary": "CERTINFO never-ending busy-loop", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2022-27781.json", "www": "https://curl.se/docs/CVE-2022-27781.html", "issue": "https://hackerone.com/reports/1555441", "CWE": { "id": "CWE-835", "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "last_affected": "7.83.0", "severity": "Low" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f6c335d63f2da025a0a3efde1fe59e3bb7189b70"}, {"fixed": "5c7da89d404bf59c8dd82a001119a16d18365917"} ] } ], "versions": [ "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Florian Kohnhäuser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications to\nrequest details to be returned about a TLS server's certificate chain.\n\nDue to an erroneous function, a malicious server could make libcurl built with\nNSS get stuck in a never-ending busy-loop when trying to retrieve that\ninformation." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27776", "aliases": [ "CVE-2022-27776" ], "summary": "Auth/cookie leak on redirect", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27776.json", "www": "https://curl.se/docs/CVE-2022-27776.html", "issue": "https://hackerone.com/reports/1547048", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Low" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "6e659993952aa5f90f48864be84a1bbb047fc258"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication or cookie header data on HTTP redirects to the\nsame host but another port number.\n\nWhen asked to send custom headers or cookies in its HTTP requests, curl sends\nthat set of headers only to the host which name is used in the initial URL, so\nthat redirects to other hosts make curl send the data to those. However, due\nto a flawed check, curl wrongly also sends that same set of headers to the\nhosts that are identical to the first one but use a different port number or\nURL scheme. Contrary to expectation and intention.\n\nSending the same set of headers to a server on a different port number is a\nproblem for applications that pass on custom `Authorization:` or `Cookie:`\nheaders, as those headers often contain privacy sensitive information or data.\n\ncurl and libcurl have options that allow users to opt out from this check, but\nthat is not set by default." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27774", "aliases": [ "CVE-2022-27774" ], "summary": "Credential leak on redirect", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27774.json", "www": "https://curl.se/docs/CVE-2022-27774.html", "issue": "https://hackerone.com/reports/1543773", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Medium" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl follows HTTP(S) redirects when asked to. curl also supports\nauthentication. When a user and password are provided for a URL with a given\nhostname, curl makes an effort to not pass on those credentials to other hosts\nin redirects unless given permission with a special option.\n\nThis \"same host check\" has been flawed all since it was introduced. It does\nnot work on cross protocol redirects and it does not consider different port\nnumbers to be separate hosts. This leads to curl leaking credentials to other\nservers when it follows redirects from auth protected HTTP(S) URLs to other\nprotocols and port numbers. It could also leak the TLS SRP credentials this\nway.\n\nBy default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked\nto allow redirects to all protocols curl supports." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-22576", "aliases": [ "CVE-2022-22576" ], "summary": "OAUTH2 bearer bypass in connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-22576.json", "www": "https://curl.se/docs/CVE-2022-22576.html", "issue": "https://hackerone.com/reports/1526328", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Medium" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "19a05c908f7d8be82de6f69f533317d8a0db49dd"}, {"fixed": "852aa5ad351ea53e5f01d2f44b5b4370c2bf5425"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl might reuse OAUTH2-authenticated connections without properly making\nsure that the connection was authenticated with the same credentials as set\nfor this transfer. This affects SASL-enabled protocols: SMTP(S), IMAP(S),\nPOP3(S) and LDAP(S) (OpenLDAP only).\n\nlibcurl maintains a pool of live connections after a transfer has completed\n(sometimes called the connection cache). This pool of connections is then gone\nthrough when a new transfer is requested and if there is a live connection\navailable that can be reused, it is preferred instead of creating a new one.\n\nDue to this security vulnerability, a connection that is successfully created\nand authenticated with a username + OAUTH2 bearer could subsequently be\nerroneously reused even for user + [other OAUTH2 bearer], even though that\nmight not even be a valid bearer. This could lead to an authentication bypass,\neither by mistake or by a malicious actor." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22947", "aliases": [ "CVE-2021-22947" ], "summary": "STARTTLS protocol injection via MITM", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22947.json", "www": "https://curl.se/docs/CVE-2021-22947.html", "issue": "https://hackerone.com/reports/1334763", "CWE": { "id": "CWE-349", "desc": "Acceptance of Extraneous Untrusted Data With Trusted Data" }, "award": { "amount": "1500", "currency": "USD" }, "last_affected": "7.78.0", "severity": "Medium" }, "published": "2021-09-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.79.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "8ef147c43646e91fdaad5d0e7b60351f842e5c68"} ] } ], "versions": [ "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data\nsecurely using STARTTLS to upgrade the connection to TLS level, the server can\nstill respond and send back multiple responses before the TLS upgrade. Such\nmultiple *pipelined* responses are cached by curl. curl would then upgrade to\nTLS but not flush the in-queue of cached responses and instead use and trust\nthe responses it got *before* the TLS handshake as if they were authenticated.\n\nUsing this flaw, it allows a Man-In-The-Middle attacker to first inject the\nfake responses, then pass-through the TLS traffic from the legitimate server\nand trick curl into sending data back to the user thinking the attacker's\ninjected data comes from the TLS-protected server.\n\nOver POP3 and IMAP an attacker can inject fake response data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22946", "aliases": [ "CVE-2021-22946" ], "summary": "Protocol downgrade required TLS bypassed", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22946.json", "www": "https://curl.se/docs/CVE-2021-22946.html", "issue": "https://hackerone.com/reports/1334111", "CWE": { "id": "CWE-325", "desc": "Missing Cryptographic Step" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.78.0", "severity": "Medium" }, "published": "2021-09-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.79.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "364f174724ef115c63d5e5dc1d3342c8a43b1cca"} ] } ], "versions": [ "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "A user can tell curl to **require** a successful upgrade to TLS when speaking\nto an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or\n`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with\nlibcurl). This requirement could be bypassed if the server would return a\nproperly crafted but perfectly legitimate response.\n\nThis flaw would then make curl silently continue its operations **without\nTLS** contrary to the instructions and expectations, exposing possibly\nsensitive data in clear text over the network." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22926", "aliases": [ "CVE-2021-22926" ], "summary": "CURLOPT_SSLCERT mix-up with Secure Transport", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22926.json", "www": "https://curl.se/docs/CVE-2021-22926.html", "issue": "https://hackerone.com/reports/1234760", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d2fe616e7e44a106ac976aaeaa441ad7d8a6df11"}, {"fixed": "fd9b40bf8dfd43edcbc0d254d613d95a11061c05"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl-using applications can ask for a specific client certificate to be\nused in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert`\nwith the command line tool).\n\nWhen libcurl is built to use the macOS native TLS library Secure Transport, an\napplication can ask for the client certificate by name or with a filename -\nusing the same option. If the name exists as a file, it is used instead of by\nname.\n\nIf the application runs with a current working directory that is writable by\nother users (like `/tmp`), a malicious user can create a filename with the\nsame name as the app wants to use by name, and thereby trick the application\nto use the file based cert instead of the one referred to by name making\nlibcurl send the wrong client certificate in the TLS connection handshake." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22925", "aliases": [ "CVE-2021-22925" ], "summary": "TELNET stack contents disclosure again", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22925.json", "www": "https://curl.se/docs/CVE-2021-22925.html", "issue": "https://hackerone.com/reports/1223882", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "894f6ec730597eb243618d33cc84d71add8d6a8a"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Red Hat Product Security", "type": "FINDER" }, { "name": "Red Hat Product Security", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not call and use `sscanf()` correctly when\nparsing the string provided by the application.\n\nThe previous curl security vulnerability\n[CVE-2021-22898](https://curl.se/docs/CVE-2021-22898.html) is almost identical\nto this one but the fix was insufficient so this security vulnerability\nremained." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22924", "aliases": [ "CVE-2021-22924" ], "summary": "Bad connection reuse due to flawed path name checks", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22924.json", "www": "https://curl.se/docs/CVE-2021-22924.html", "issue": "https://hackerone.com/reports/1223565", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "1200", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.4"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "89721ff04af70f527baae1368f3b992777bf6526"}, {"fixed": "5ea3145850ebff1dc2b13d17440300a01ca38161"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse, if one of them matches the setup.\n\nDue to errors in the logic, the config matching function did not take 'issuer\ncert' into account and it compared the involved paths *case insensitively*,\nwhich could lead to libcurl reusing wrong connections.\n\nFile paths are, or can be, case sensitive on many systems but not all, and can\neven vary depending on used file systems.\n\nThe comparison also did not include the 'issuer cert' which a transfer can set\nto qualify how to verify the server certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22923", "aliases": [ "CVE-2021-22923" ], "summary": "Metalink download sends credentials", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2021-22923.json", "www": "https://curl.se/docs/CVE-2021-22923.html", "issue": "https://hackerone.com/reports/1213181", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b5fdbe848bc3d088445817aa890d3f2f74ac5b02"}, {"fixed": "265b14d6b37c4298bd5556fabcbc37d36f911693"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is instructed to get content using the Metalink feature, and a user\nname and password are used to download the Metalink XML file, those same\ncredentials are then subsequently passed on to each of the servers from which\ncurl downloads or tries to download the contents from. Often contrary to the\nuser's expectations and intentions and without telling the user it happened." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22922", "aliases": [ "CVE-2021-22922" ], "summary": "Wrong content via Metalink not discarded", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2021-22922.json", "www": "https://curl.se/docs/CVE-2021-22922.html", "issue": "https://hackerone.com/reports/1213175", "CWE": { "id": "CWE-20", "desc": "Improper Input Validation" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b5fdbe848bc3d088445817aa890d3f2f74ac5b02"}, {"fixed": "265b14d6b37c4298bd5556fabcbc37d36f911693"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is instructed to download content using the Metalink feature, the\ncontents is verified against a hash provided in the Metalink XML file.\n\nThe Metalink XML file points out to the client how to get the same content\nfrom a set of different URLs, potentially hosted by different servers and the\nclient can then download the file from one or several of them. In a serial or\nparallel manner.\n\nIf one of the servers hosting the contents has been breached and the contents\nof the specific file on that server is replaced with a modified payload, curl\nshould detect this when the hash of the file mismatches after a completed\ndownload. It should remove the contents and instead try getting the contents\nfrom another URL. This is not done, and instead such a hash mismatch is only\nmentioned in text and the potentially malicious content is kept in the file on\ndisk.\n\nThere is a risk the user does not notice the message and instead assumes the\nfile is fine." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22898", "aliases": [ "CVE-2021-22898" ], "summary": "TELNET stack contents disclosure", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22898.json", "www": "https://curl.se/docs/CVE-2021-22898.html", "issue": "https://hackerone.com/reports/1176461", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.76.1", "severity": "Medium" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "39ce47f219b09c380b81f89fe54ac586c8db6bde"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not check the return code from a\n`sscanf(command, \"%127[^,],%127s\")` function invoke correctly, and would leave\nthe piece of the send buffer uninitialized for the value part if it was\nprovided longer than 127 bytes. The buffer used for this is 2048 bytes big and\nthe *variable* part of the *variable=content* pairs would be stored correctly\nin the send buffer, making curl sending \"interleaved\" bytes sequences of stack\ncontents. A single curl TELNET handshake could then be made to send off a\ntotal of around 1800 bytes of (non-contiguous) stack contents in this style:\n\n [control byte]name[control byte]\n stack contents\n [control byte]name[control byte]\n stack contents\n ...\n\nAn easy proof of concept command line looks like this:\n\n curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22876", "aliases": [ "CVE-2021-22876" ], "summary": "Automatic referer leaks credentials", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22876.json", "www": "https://curl.se/docs/CVE-2021-22876.html", "issue": "https://hackerone.com/reports/1101882", "CWE": { "id": "CWE-359", "desc": "Exposure of Private Personal Information to an Unauthorized Actor" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.75.0", "severity": "Low" }, "published": "2021-03-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.1.1"}, {"fixed": "7.76.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f30ffef477636dc10a72eb30590a84a0218e5935"}, {"fixed": "7214288898f5625a6cc196e22a74232eada7861c"} ] } ], "versions": [ "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1" ] } ], "credits": [ { "name": "Viktor Szakats", "type": "FINDER" }, { "name": "Viktor Szakats", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl does not strip off user credentials from the URL when automatically\npopulating the `Referer:` HTTP request header field in outgoing HTTP requests,\nand therefore risks leaking sensitive data to the server that is the target of\nthe second HTTP request.\n\nlibcurl automatically sets the `Referer:` HTTP request header field in\noutgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the\ncurl tool, it is enabled with `--referer \";auto\"`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8286", "aliases": [ "CVE-2020-8286" ], "summary": "Inferior OCSP verification", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8286.json", "www": "https://curl.se/docs/CVE-2020-8286.html", "issue": "https://hackerone.com/reports/1048457", "CWE": { "id": "CWE-299", "desc": "Improper Check for Certificate Revocation" }, "award": { "amount": "900", "currency": "USD" }, "last_affected": "7.73.0", "severity": "Medium" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.41.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d1cf5d570663dac157740cb5e49d24614f185da7"}, {"fixed": "d9d01672785b8ac04aab1abb6de95fe3072ae199"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0" ] } ], "credits": [ { "name": "Ospoco", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl offers \"OCSP stapling\" via the `CURLOPT_SSL_VERIFYSTATUS` option. When\nset, libcurl verifies the OCSP response that a server responds with as part of\nthe TLS handshake. It then aborts the TLS negotiation if something is wrong\nwith the response. The same feature can be enabled with `--cert-status` using\nthe curl tool.\n\nAs part of the OCSP response verification, a client should verify that the\nresponse is indeed set out for the correct certificate. This step was not\nperformed by libcurl when built or told to use OpenSSL as TLS backend.\n\nThis flaw would allow an attacker, who perhaps could have breached a TLS\nserver, to provide a fraudulent OCSP response that would appear fine, instead\nof the real one. Like if the original certificate actually has been revoked." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8285", "aliases": [ "CVE-2020-8285" ], "summary": "FTP wildcard stack overflow", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2020-8285.json", "www": "https://curl.se/docs/CVE-2020-8285.html", "issue": "https://hackerone.com/reports/1045844", "CWE": { "id": "CWE-674", "desc": "Uncontrolled Recursion" }, "last_affected": "7.73.0", "severity": "Medium" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34"}, {"fixed": "69a358f2186e04cf44698b5100332cbf1ee7f01d"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "xnynx on github", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl offers a wildcard matching functionality, which allows a callback (set\nwith `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on\nhow to handle a specific entry in a directory when libcurl iterates over a\nlist of all available entries.\n\nWhen this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not\ndeal with that file, the internal function in libcurl then calls itself\nrecursively to handle the next directory entry.\n\nIf there is a sufficient amount of file entries and if the callback returns\n\"skip\" enough number of times, libcurl runs out of stack space. The exact\namount does of course vary with platforms, compilers and other environmental\nfactors.\n\nThe content of the remote directory is not kept on the stack, so it seems hard\nfor the attacker to control exactly what data that overwrites the stack -\nhowever it remains a Denial-Of-Service vector as a malicious user who controls\na server that a libcurl-using application works with under these premises can\ntrigger a crash.\n\n(There is also a few other ways the function can be made to call itself and\ntrigger this problem.)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8284", "aliases": [ "CVE-2020-8284" ], "summary": "trusting FTP PASV responses", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8284.json", "www": "https://curl.se/docs/CVE-2020-8284.html", "issue": "https://hackerone.com/reports/1040166", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.73.0", "severity": "Low" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "ec9cc725d598ac77de7b6df8afeec292b3c8ad46"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Varnavas Papaioannou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl performs a passive FTP transfer, it first tries the `EPSV` command\nand if that is not supported, it falls back to using `PASV`. Passive mode is\nwhat curl uses by default.\n\nA server response to a `PASV` command includes the (IPv4) address and port\nnumber for the client to connect back to in order to perform the actual data\ntransfer.\n\nThis is how the FTP protocol is designed to work.\n\nA malicious server can use the `PASV` response to trick curl into connecting\nback to a given IP address and port, and this way potentially make curl\nextract information about services that are otherwise private and not\ndisclosed, for example doing port scanning and service banner extractions.\n\nIf curl operates on a URL provided by a user (which by all means is an unwise\nsetup), a user can exploit that and pass in a URL to a malicious FTP server\ninstance without needing any server breach to perform the attack." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8231", "aliases": [ "CVE-2020-8231" ], "summary": "wrong connect-only connection", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2020-8231.json", "www": "https://curl.se/docs/CVE-2020-8231.html", "issue": "https://hackerone.com/reports/948876", "CWE": { "id": "CWE-825", "desc": "Expired Pointer Dereference" }, "award": { "amount": "500", "currency": "USD" }, "last_affected": "7.71.1", "severity": "Low" }, "published": "2020-08-19T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.29.0"}, {"fixed": "7.72.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c43127414d89ccb9ef6517081f68986d991bcfb3"}, {"fixed": "3c9e021f86872baae412a427e807fbfa2f3e8a22"} ] } ], "versions": [ "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0" ] } ], "credits": [ { "name": "Marc Aldorasi", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "An application that performs multiple requests with libcurl's multi API and\nsets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience\nthat when subsequently using the setup connect-only transfer, libcurl picks\nand uses the wrong connection - and instead picks another one the application\nhas created since then.\n\n`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual\ntransfer, only connect. When that operation is completed, libcurl remembers\nwhich connection it used for that transfer and \"easy handle\". It remembers the\nconnection using a pointer to the internal `connectdata` struct in memory.\n\nIf more transfers are then done with the same multi handle before the\nconnect-only connection is used, leading to the initial connect-only\nconnection to get closed (for example due to idle time-out) while also new\ntransfers (and connections) are setup, such a *new* connection might end up\ngetting the exact same memory address as the now closed connect-only\nconnection.\n\nIf after those operations, the application then wants to use the original\ntransfer's connect-only setup to for example use `curl_easy_send()` to send\nraw data over that connection, libcurl could **erroneously** find an existing\nconnection still being alive at the address it remembered since before even\nthough this is now a new and different connection.\n\nThe application could then accidentally send data over that connection which\nwas not at all intended for that recipient, entirely unknowingly." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8177", "aliases": [ "CVE-2020-8177" ], "summary": "curl overwrite local file with -J", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2020-8177.json", "www": "https://curl.se/docs/CVE-2020-8177.html", "issue": "https://hackerone.com/reports/887462", "CWE": { "id": "CWE-641", "desc": "Improper Restriction of Names for Files and Other Resources" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.70.0", "severity": "Medium" }, "published": "2020-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.71.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "80675818e0417be8c991513b328c5507e93b47e5"}, {"fixed": "8236aba58542c5f89f1d41ca09d84579efb05e22"} ] } ], "versions": [ "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "sn on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be tricked by a malicious server to overwrite a local file when using\n`-J` (`--remote-header-name`) and `-i` (`--include`) in the same command line.\n\nThe command line tool offers the `-J` option that saves a remote file using\nthe filename present in the `Content-Disposition:` response header. curl then\nrefuses to overwrite an existing local file using the same name, if one\nalready exists in the current directory.\n\nThe `-J` flag is designed to save a response body, and so it does not work\ntogether with `-i` and there is logic that forbids it. However, the check is\nflawed and does not properly check for when the options are used in the\nreversed order: first using `-J` and then `-i` were mistakenly accepted.\n\nThe result of this mistake was that incoming HTTP headers could overwrite a\nlocal file if one existed, as the check to avoid the local file was done first\nwhen body data was received, and due to the mistake mentioned above, it could\nalready have received and saved headers by that time.\n\nThe saved file would only get response headers added to it, as it would abort\nthe saving when the first body byte arrives. A malicious server could however\nstill be made to send back virtually anything as headers and curl would save\nthem like this, until the first CRLF-CRLF sequence appears.\n\n(Also note that `-J` needs to be used in combination with `-O` to have any\neffect.)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5481", "aliases": [ "CVE-2019-5481" ], "summary": "FTP-KRB double free", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5481.json", "www": "https://curl.se/docs/CVE-2019-5481.html", "issue": "https://hackerone.com/reports/686823", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.65.3", "severity": "Medium" }, "published": "2019-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.66.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0649433da53c7165f839e24e889e131e2894dd32"}, {"fixed": "9069838b30fb3b48af0123e39f664cea683254a5"} ] } ], "versions": [ "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "Thomas Vegas", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can be told to use kerberos over FTP to a server, as set with the\n`CURLOPT_KRBLEVEL` option.\n\nDuring such kerberos FTP data transfer, the server sends data to curl in\nblocks with the 32-bit size of each block first and then that amount of data\nimmediately following.\n\nA malicious or just broken server can claim to send a large block and if\nby doing that it makes curl's subsequent call to `realloc()` to fail, curl\nwould then misbehave in the exit path and double free the memory.\n\nIn practical terms, an up to 4 GB memory area may well be fine to allocate\non a modern 64-bit system but on 32-bit systems it fails.\n\nKerberos FTP is a rarely used protocol with curl. Also, Kerberos\nauthentication is usually only attempted and used with servers that the client\nhas a previous association with." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5482", "aliases": [ "CVE-2019-5482" ], "summary": "TFTP small blocksize heap buffer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2019-5482.json", "www": "https://curl.se/docs/CVE-2019-5482.html", "issue": "https://hackerone.com/reports/684603", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "250", "currency": "USD" }, "last_affected": "7.65.3", "severity": "Medium" }, "published": "2019-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.19.4"}, {"fixed": "7.66.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0516ce7786e9500c2e447d48aa9b3f24a6ca70f9"}, {"fixed": "facb0e4662415b5f28163e853dc6742ac5fafb3d"} ] } ], "versions": [ "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4" ] } ], "credits": [ { "name": "Thomas Vegas", "type": "FINDER" }, { "name": "Thomas Vegas", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer overflow in the function\n(`tftp_receive_packet()`) that receives data from a TFTP server. It can call\n`recvfrom()` with the default size for the buffer rather than with the size\nthat was used to allocate it. Thus, the content that might overwrite the heap\nmemory is controlled by the server.\n\nThis flaw is only triggered if the TFTP server sends an `OACK` without the\n`BLKSIZE` option, when a `BLKSIZE` smaller than 512 bytes was requested by the\nTFTP client. `OACK` is a TFTP extension and is not used by all TFTP servers.\n\nUsers choosing a smaller block size than default should be rare as the primary\nuse case for changing the size is to make it larger.\n\nIt is rare for users to use TFTP across the Internet. It is most commonly used\nwithin local networks. TFTP as a protocol is always inherently insecure.\n\nThis issue was introduced by the add of the TFTP `BLKSIZE` option handling. It\nwas previously incompletely fixed by an almost identical issue called\nCVE-2019-5436." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5443", "aliases": [ "CVE-2019-5443" ], "summary": "Windows OpenSSL engine code injection", "modified": "2025-01-07T11:34:40.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5443.json", "www": "https://curl.se/docs/CVE-2019-5443.html", "issue": "https://hackerone.com/reports/608577", "CWE": { "id": "CWE-94", "desc": "Improper Control of Generation of Code ('Code Injection')" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.65.1", "severity": "High" }, "published": "2019-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.44.0"}, {"fixed": "7.66.0"} ] } ], "versions": [ "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0" ] } ], "credits": [ { "name": "Rich Mirch", "type": "FINDER" }, { "name": "Viktor Szakats", "type": "REMEDIATION_DEVELOPER" } ], "details": "A non-privileged user or program can put code and a config file in a known\nnon-privileged path (under `C:/usr/local/`) that makes curl automatically run\nthe code (as an OpenSSL \"engine\") on invocation. If that curl is invoked by a\nprivileged user it can do anything it wants.\n\nThis flaw exists in the official curl-for-windows binaries built and hosted by\nthe curl project (all versions up to and including 7.65.1_1). It **does not**\nexist in the curl executable shipped by Microsoft, bundled with Windows 10. It\npossibly exists in other curl builds for Windows too that uses OpenSSL.\n\nThe curl project has provided official curl executable builds for Windows\nsince [late August\n2018](https://daniel.haxx.se/blog/2018/08/27/blessed-curl-builds-for-windows/).\n\nThere exists proof of concept exploits of this flaw." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5436", "aliases": [ "CVE-2019-5436" ], "summary": "TFTP receive buffer overflow", "modified": "2024-01-12T23:34:54.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5436.json", "www": "https://curl.se/docs/CVE-2019-5436.html", "issue": "https://hackerone.com/reports/550696", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.64.1", "severity": "Low" }, "published": "2019-05-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.19.4"}, {"fixed": "7.65.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0516ce7786e9500c2e447d48aa9b3f24a6ca70f9"}, {"fixed": "2576003415625d7b5f0e390902f8097830b82275"} ] } ], "versions": [ "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4" ] } ], "credits": [ { "name": "l00p3r", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer overflow in the function\n(`tftp_receive_packet()`) that receives data from a TFTP server. It calls\n`recvfrom()` with the default size for the buffer rather than with the size\nthat was used to allocate it. Thus, the content that might overwrite the heap\nmemory is entirely controlled by the server.\n\nThe flaw exists if the user selects to use a `blksize` of 504 or smaller\n(default is 512). The smaller size that is used, the larger the possible\noverflow becomes.\n\nUsers choosing a smaller size than default should be rare as the primary use\ncase for changing the size is to make it larger.\n\nIt is rare for users to use TFTP across the Internet. It is most commonly used\nwithin local networks." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16890", "aliases": [ "CVE-2018-16890" ], "summary": "NTLM type-2 out-of-bounds buffer read", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-16890.json", "www": "https://curl.se/docs/CVE-2018-16890.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "last_affected": "7.63.0", "severity": "Medium" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "b780b30d1377adb10bbe774835f49e9b237fb9bb"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Wenxiang Qian of Tencent Blade Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer out-of-bounds read flaw.\n\nThe function handling incoming NTLM type-2 messages\n(`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data\ncorrectly and is subject to an integer overflow vulnerability.\n\nUsing that overflow, a malicious or broken NTLM server could trick libcurl to\naccept a bad length + offset combination that would lead to a buffer read\nout-of-bounds." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-3822", "aliases": [ "CVE-2019-3822" ], "summary": "NTLMv2 type-3 header stack buffer overflow", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-3822.json", "www": "https://curl.se/docs/CVE-2019-3822.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.63.0", "severity": "High" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "50c9484278c63b958655a717844f0721263939cc"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Wenxiang Qian of Tencent Blade Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Huzaifa Sidhpurwala", "type": "OTHER" } ], "details": "libcurl contains a stack based buffer overflow vulnerability.\n\nThe function creating an outgoing NTLM type-3 header\n(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the\nrequest HTTP header contents based on previously received data. The check that\nexists to prevent the local buffer from getting overflowed is implemented\nwrongly (using unsigned math) and as such it does not prevent the overflow\nfrom happening.\n\nThis output data can grow larger than the local buffer if large response data\nis extracted from a previous NTLMv2 header provided by the malicious or broken\nHTTP server.\n\nSuch large response data needs to be around 1000 bytes or more. The actual\npayload data copied to the target buffer comes from the NTLMv2 type-2 response\nheader." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-3823", "aliases": [ "CVE-2019-3823" ], "summary": "SMTP end-of-response out-of-bounds read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-3823.json", "www": "https://curl.se/docs/CVE-2019-3823.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "last_affected": "7.63.0", "severity": "Low" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2766262a68688c1dd8143f9c4be84b46c408b70a"}, {"fixed": "39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Gustafsson", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap out-of-bounds read in the code handling the\nend-of-response for SMTP.\n\nIf the buffer passed to `smtp_endofresp()` is not null terminated and contains\nno character ending the parsed number, and `len` is set to 5, then the\n`strtol()` call reads beyond the allocated buffer. The read content is not\nreturned to the caller." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16842", "aliases": [ "CVE-2018-16842" ], "summary": "warning message out-of-buffer read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2018-16842.json", "www": "https://curl.se/docs/CVE-2018-16842.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "100", "currency": "USD" }, "last_affected": "7.61.1", "severity": "Low" }, "published": "2018-10-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.14.1"}, {"fixed": "7.62.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d9ca9154d111e1287cc7ef06ec543094a4433f1f"}, {"fixed": "d530e92f59ae9bb2d47066c3c460b25d2ffeb211"} ] } ], "versions": [ "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl contains a heap out of buffer read vulnerability.\n\nThe command line tool has a generic function for displaying warning and\ninformational messages to stderr for various situations. For example if an\nunknown command line argument is used, or passed to it in a \"config\" file.\n\nThis display function formats the output to wrap at 80 columns. The wrap logic\nis however flawed, so if a single word in the message is itself longer than 80\nbytes the buffer arithmetic calculates the remainder wrong and ends up reading\nbehind the end of the buffer. This could lead to information disclosure or\ncrash.\n\nThis vulnerability could lead to a security issue if used in this or similar\nsituations:\n\n 1. a server somewhere uses the curl command line to run something\n 2. if it fails, it shows stderr to the user\n 3. the server takes user input for parts of its command line input\n 4. user provides something overly long that triggers this crash\n 5. the stderr output may now contain user memory contents that was not meant\n to be available" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16839", "aliases": [ "CVE-2018-16839" ], "summary": "SASL password overflow via integer overflow", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-16839.json", "www": "https://curl.se/docs/CVE-2018-16839.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.61.1", "severity": "Low" }, "published": "2018-10-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.62.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c56f9797e7feb7c2dc93bc389d4b85cc75220d77"}, {"fixed": "f3a24d7916b9173c69a3e0ee790102993833d6c5"} ] } ], "versions": [ "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun in the SASL authentication code.\n\nThe internal function `Curl_auth_create_plain_message` fails to correctly\nverify that the passed in lengths for name and password are not too long, then\ncalculates a buffer size to allocate.\n\nOn systems with a 32-bit `size_t`, the math to calculate the buffer size\ntriggers an integer overflow when the username length exceeds 1GB and the\npassword name length is close to 2GB in size. This integer overflow usually\ncauses a tiny buffer to actually get allocated instead of the intended huge\none, making the use of that buffer end up in a heap buffer overflow.\n\n(This bug is similar to\n[CVE-2018-14618](https://curl.se/docs/CVE-2018-14618.html).)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-14618", "aliases": [ "CVE-2018-14618" ], "summary": "NTLM password overflow via integer overflow", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-14618.json", "www": "https://curl.se/docs/CVE-2018-14618.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.61.0", "severity": "High" }, "published": "2018-09-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.15.4"}, {"fixed": "7.61.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "be285cde3f52571087816759220a68cb994d9307"}, {"fixed": "57d299a499155d4b327e341c6024e293b0418243"} ] } ], "versions": [ "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4" ] } ], "credits": [ { "name": "Zhaoyang Wu", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun in the NTLM authentication code.\n\nThe internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of\nthe password by two (SUM) to figure out how large temporary storage area to\nallocate from the heap.\n\nThe `length` value is then subsequently used to iterate over the password and\ngenerate output into the allocated storage buffer. On systems with a 32-bit\n`size_t`, the math to calculate SUM triggers an integer overflow when the\npassword length exceeds 2GB (2^31 bytes). This integer overflow usually causes\na tiny buffer to actually get allocated instead of the intended huge one,\nmaking the use of that buffer end up in a heap buffer overflow.\n\n(This bug is almost identical to\n[CVE-2017-8816](https://curl.se/docs/CVE-2017-8816.html).)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000301", "aliases": [ "CVE-2018-1000301" ], "summary": "RTSP bad headers buffer over-read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000301.json", "www": "https://curl.se/docs/CVE-2018-1000301.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.59.0", "severity": "Medium" }, "published": "2018-05-16T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.60.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bc4582b68a673d3b0f5a2e7d971605de2c8b3730"}, {"fixed": "8c7b3737d29ed5c0575bf592063de8a51450812d"} ] } ], "versions": [ "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "OSS-Fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "curl can be tricked into reading data beyond the end of a heap based buffer\nused to store downloaded content.\n\nWhen servers send RTSP responses back to curl, the data starts out with a set\nof headers. curl parses that data to separate it into a number of headers to\ndeal with those appropriately and to find the end of the headers that signal\nthe start of the \"body\" part.\n\nThe function that splits up the response into headers is called\n`Curl_http_readwrite_headers()` and in situations where it cannot find a single\nheader in the buffer, it might end up leaving a pointer pointing into the\nbuffer instead of to the start of the buffer which then later on may lead to\nan out of buffer read when code assumes that pointer points to a full buffer\nsize worth of memory to use.\n\nThis could potentially lead to information leakage but most likely a\ncrash/denial of service for applications if a server triggers this flaw." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000122", "aliases": [ "CVE-2018-1000122" ], "summary": "RTSP RTP buffer over-read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000122.json", "www": "https://curl.se/docs/CVE-2018-1000122.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.58.0", "severity": "Medium" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bc4582b68a673d3b0f5a2e7d971605de2c8b3730"}, {"fixed": "d52dc4760f6d9ca1937eefa2093058a952465128"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "OSS-fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "curl can be tricked into copying data beyond end of its heap based buffer.\n\nWhen asked to transfer an RTSP URL, curl could calculate a wrong data length\nto copy from the read buffer. The `memcpy()` call would copy data from the\nheap following the buffer to a storage area that would subsequently be\ndelivered to the application (if it did not cause a crash). We have managed to\nget it to reach several hundreds bytes out of range.\n\nThis could lead to information leakage or a denial of service for the\napplication if the server offering the RTSP data can trigger this." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000121", "aliases": [ "CVE-2018-1000121" ], "summary": "LDAP NULL pointer dereference", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000121.json", "www": "https://curl.se/docs/CVE-2018-1000121.html", "CWE": { "id": "CWE-476", "desc": "NULL Pointer Dereference" }, "last_affected": "7.58.0", "severity": "Low" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2e056353b00d0944bdb2f8e948cc40a4dc0f3dfb"}, {"fixed": "9889db043393092e9d4b5a42720bba0b3d58deba"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "Dario Weisser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might dereference a near-NULL address when getting an LDAP URL.\n\nThe function `ldap_get_attribute_ber()` is called to get attributes, but it\nturns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer\nin the result pointer when getting a particularly crafted response. This was a\nsurprise to us and to the code.\n\nlibcurl-using applications that allow LDAP URLs, or that allow redirects to\nLDAP URLs could be made to crash by a malicious server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000120", "aliases": [ "CVE-2018-1000120" ], "summary": "FTP path trickery leads to NIL byte out of bounds write", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000120.json", "www": "https://curl.se/docs/CVE-2018-1000120.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.58.0", "severity": "High" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.3"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "6e1e9caa32da099569bb95e64faf0b5f3cf103b5"}, {"fixed": "535432c0adb62fe167ec09621500470b6fa4eb0f"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3" ] } ], "credits": [ { "name": "Duy Phan Thanh", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be fooled into writing a zero byte out of bounds.\n\nThis bug can trigger when curl is told to work on an FTP URL, with the setting\nto only issue a single CWD command (`--ftp-method singlecwd` or the libcurl\nalternative `CURLOPT_FTP_FILEMETHOD`).\n\ncurl then URL-decodes the given path, calls strlen() on the result and deducts\nthe length of the filename part to find the end of the directory within the\nbuffer. It then writes a zero byte on that index, in a buffer allocated on the\nheap.\n\nIf the directory part of the URL contains a \"%00\" sequence, the directory\nlength might end up shorter than the filename path, making the calculation\n`size_t index = directory_len - filepart_len` end up with a huge index\nvariable for where the zero byte gets stored: `heap_buffer[index] = 0`. On\nseveral architectures that huge index wraps and works as a negative value,\nthus overwriting memory *before* the intended heap buffer.\n\nBy using different file part lengths and putting %00 in different places in\nthe URL, an attacker that can control what paths a curl-using application uses\ncan write that zero byte on different indexes." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000007", "aliases": [ "CVE-2018-1000007" ], "summary": "HTTP authentication leak in redirects", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000007.json", "www": "https://curl.se/docs/CVE-2018-1000007.html", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "last_affected": "7.57.0", "severity": "Low" }, "published": "2018-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.58.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "af32cd3859336ab963591ca0df9b1e33a7ee066b"} ] } ], "versions": [ "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Craig de Stigter", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication data to third parties.\n\nWhen asked to send custom headers in its HTTP requests, curl sends that set of\nheaders first to the host in the initial URL but also, if asked to follow\nredirects and a 30X HTTP response code is returned, to the host mentioned in\nURL in the `Location:` response header value.\n\nSending the same set of headers to subsequent hosts is in particular a problem\nfor applications that pass on custom `Authorization:` headers, as this header\noften contains privacy sensitive information or data that could allow others\nto impersonate the curl-using client's request." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000005", "aliases": [ "CVE-2018-1000005" ], "summary": "HTTP/2 trailer out-of-bounds read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000005.json", "www": "https://curl.se/docs/CVE-2018-1000005.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.57.0", "severity": "Low" }, "published": "2018-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.49.0"}, {"fixed": "7.58.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0761a51ee0551ad9e523cbdba24ce00d22fff9c1"}, {"fixed": "fa3dbb9a147488a2943bda809c66fc497efe06cb"} ] } ], "versions": [ "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0" ] } ], "credits": [ { "name": "Zhouyihai Ding", "type": "FINDER" }, { "name": "Zhouyihai Ding", "type": "REMEDIATION_DEVELOPER" }, { "name": "Ray Satiro", "type": "OTHER" } ], "details": "libcurl contains an out bounds read in code handling HTTP/2 trailers.\n\nIt was [reported](https://github.com/curl/curl/pull/2231) that reading an\nHTTP/2 trailer could mess up future trailers since the stored size was one\nbyte less than required.\n\nThe problem is that the code that creates HTTP/1-like headers from the HTTP/2\ntrailer data once appended a string like `\":\"` to the target buffer, while\nthis was recently changed to `\": \"` (a space was added after the colon) but\nthe associated math was not updated correspondingly.\n\nWhen accessed, the data is read out of bounds and causes either a crash or\nthat the (too large) data gets passed to the libcurl callback. This might lead\nto a denial-of-service situation or an information disclosure if someone has a\nservice that echoes back or uses the trailers for something." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-8817", "aliases": [ "CVE-2017-8817" ], "summary": "FTP wildcard out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2017-8817.json", "www": "https://curl.se/docs/CVE-2017-8817.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.56.1", "severity": "Medium" }, "published": "2017-11-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.57.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34"}, {"fixed": "0b664ba968437715819bfe4c7ada5679d16ebbc3"} ] } ], "versions": [ "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "OSS-Fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "libcurl contains a read out of bounds flaw in the FTP wildcard function.\n\nlibcurl's FTP wildcard matching feature, which is enabled with the\n`CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user\nprovided one. The built-in wildcard function has a flaw that makes it not\ndetect the end of the pattern string if it ends with an open bracket (`[`) but\ninstead it continues reading the heap beyond the end of the URL buffer that\nholds the wildcard.\n\nFor applications that use HTTP(S) URLs, allow libcurl to handle redirects and\nhave FTP wildcards enabled, this flaw can be triggered by malicious servers\nthat can redirect clients to a URL using such a wildcard pattern." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-8816", "aliases": [ "CVE-2017-8816" ], "summary": "NTLM buffer overflow via integer overflow", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-8816.json", "www": "https://curl.se/docs/CVE-2017-8816.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.56.1", "severity": "Medium" }, "published": "2017-11-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.57.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "7f2a1df6f5fc598750b2c6f34465c8d924db28cc"} ] } ], "versions": [ "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Alex Nichols", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun flaw in the NTLM authentication code.\n\nThe internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of\nthe username + password (= SUM) and multiplies the sum by two (= SIZE) to\nfigure out how large storage to allocate from the heap.\n\nThe SUM value is subsequently used to iterate over the input and generate\noutput into the storage buffer. On systems with a 32-bit `size_t`, the math to\ncalculate SIZE triggers an integer overflow when the combined lengths of the\nusername and password is larger than 2GB (2^31 bytes). This integer overflow\nusually causes a tiny buffer to actually get allocated instead of the intended\nhuge one, making the use of that buffer end up in a buffer overrun." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000257", "aliases": [ "CVE-2017-1000257" ], "summary": "IMAP FETCH response out of bounds read", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000257.json", "www": "https://curl.se/docs/CVE-2017-1000257.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.56.0", "severity": "Medium" }, "published": "2017-10-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.56.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "13c9a9ded3ae744a1e11cbc14e9146d9fa427040"} ] } ], "versions": [ "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "0xd34db347", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun flaw in the IMAP handler.\n\nAn IMAP FETCH response line indicates the size of the returned data, in number\nof bytes. When that response says the data is zero bytes, libcurl would pass\non that (non-existing) data with a pointer and the size (zero) to the\ndeliver-data function.\n\nlibcurl's deliver-data function treats zero as a magic number and invokes\nstrlen() on the data to figure out the length. The strlen() is called on a\nheap based buffer that might not be zero terminated so libcurl might read\nbeyond the end of it into whatever memory lies after (or just crash) and then\ndeliver that to the application as if it was actually downloaded." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000254", "aliases": [ "CVE-2017-1000254" ], "summary": "FTP PWD response parser out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000254.json", "www": "https://curl.se/docs/CVE-2017-1000254.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.55.1", "severity": "Medium" }, "published": "2017-10-04T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.56.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "415d2e7cb7dd4f40b7c857f0fba23487dcd030a0"}, {"fixed": "5ff2c5ff25750aba1a8f64fbcad8e5b891512584"} ] } ], "versions": [ "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Max Dymond", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or\nnot), it asks the server for the current directory with the `PWD` command. The\nserver then responds with a 257 response containing the path, inside double\nquotes. The returned path name is then kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a directory name\npassed like this but without a closing double quote would lead to libcurl not\nadding a trailing null byte to the buffer holding the name. When libcurl would\nthen later access the string, it could read beyond the allocated heap buffer\nand crash or wrongly access data beyond the buffer, thinking it was part of\nthe path.\n\nA malicious server could abuse this fact and effectively prevent libcurl-based\nclients to work with it - the PWD command is always issued on new FTP\nconnections and the mistake has a high chance of causing a segfault.\n\nThe simple fact that this issue has remained undiscovered for this long could\nsuggest that malformed PWD responses are rare in benign servers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000101", "aliases": [ "CVE-2017-1000101" ], "summary": "URL globbing out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2017-1000101.json", "www": "https://curl.se/docs/CVE-2017-1000101.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.54.1", "severity": "Medium" }, "published": "2017-08-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.55.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5ca96cb84410270e233c92bf1b2583cba40c3fad"}, {"fixed": "453e7a7a03a2cec749abd3878a48e728c515cca7"} ] } ], "versions": [ "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Brian Carpenter", "type": "FINDER" }, { "name": "Yongji Ouyang", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range\nto have the tool iterate over those numbers to do a sequence of transfers.\n\nIn the globbing function that parses the numerical range, there was an\nomission that made curl read a byte beyond the end of the URL if given a\ncarefully crafted, or just wrongly written, URL. The URL is stored in a heap\nbased buffer, so it could then be made to wrongly read something else instead\nof crashing.\n\nAn example of a URL that triggers the flaw would be\n`http://ur%20[0-60000000000000000000`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000100", "aliases": [ "CVE-2017-1000100" ], "summary": "TFTP sends more than buffer size", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000100.json", "www": "https://curl.se/docs/CVE-2017-1000100.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.54.1", "severity": "High" }, "published": "2017-08-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.15.0"}, {"fixed": "7.55.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "56d9624b566ac15ffb4b4b6eef220a5000b767e0"}, {"fixed": "358b2b131ad6c095696f20dcfa62b8305263f898"} ] } ], "versions": [ "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0" ] } ], "credits": [ { "name": "Even Rouault", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a\nlong filename (longer than about 515 bytes), the filename is truncated to fit\nwithin the buffer boundaries, but the buffer size is still wrongly updated\nto use the original length. This too large value is then used in the\n`sendto()` call, making curl attempt to send more data than what is actually\nput into the buffer. The `sendto()` function then reads beyond the end of the\nheap based buffer.\n\nA malicious HTTP(S) server could redirect a vulnerable libcurl-using client to\na crafted TFTP URL (if the client has not restricted which protocols it allows\nredirects to) and trick it to send private memory contents to a remote server\nover UDP. Limit curl's redirect protocols with `--proto-redir` and libcurl's\nwith `CURLOPT_REDIR_PROTOCOLS`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-9502", "aliases": [ "CVE-2017-9502" ], "summary": "URL file scheme drive letter buffer overflow", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-9502.json", "www": "https://curl.se/docs/CVE-2017-9502.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.54.0", "severity": "High" }, "published": "2017-06-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.53.0"}, {"fixed": "7.54.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "1d4202ade602dd4f1192c69aed5cc905e7a9b4e2"}, {"fixed": "5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa"} ] } ], "versions": [ "7.54.0", "7.53.1", "7.53.0" ] } ], "credits": [ { "name": "Marcel Raad", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is given either\n\n 1. a file: URL that does not use two slashes following the colon, or\n 2. is told that file is the default scheme to use for URLs without scheme\n\n... and the given path starts with a drive letter and libcurl is built for\nWindows or DOS, then libcurl would copy the path with a wrong offset, so that\nthe end of the given path would write beyond the malloc buffer. Up to seven\nbytes too much." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-7468", "aliases": [ "CVE-2017-7468" ], "summary": "TLS session resumption client cert bypass (again)", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-7468.json", "www": "https://curl.se/docs/CVE-2017-7468.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.53.1", "severity": "High" }, "published": "2017-04-19T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "95c717bbd9c327c38b4efcc37d5cda29b8ee2a36"}, {"fixed": "33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "lijian996 on github", "type": "FINDER" }, { "name": "Ray Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster.\n\nThis flaw is a regression and identical to\n[CVE-2016-5419](https://curl.se/docs/CVE-2016-5419.html) reported on\nAugust 3rd 2016, but affecting a different version range." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-7407", "aliases": [ "CVE-2017-7407" ], "summary": "--write-out out of buffer read", "modified": "2024-12-18T10:24:02.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2017-7407.json", "www": "https://curl.se/docs/CVE-2017-7407.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.53.1", "severity": "Medium" }, "published": "2017-04-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.5"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d073ec0a719bfad28b791f1ead089be655b896e9"}, {"fixed": "8e65877870c1fac920b65219adec720df810aab9"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "There were two bugs in curl's parser for the command line option `--write-out`\n(or `-w` for short) that would skip the end of string zero byte if the string\nended in a `%` (percent) or `\\` (backslash), and it would read beyond that\nbuffer in the heap memory and it could then potentially output pieces of that\nmemory to the terminal or the target file etc.\n\nThe curl security team did not report this as a security vulnerability due to\nthe minimal risk: the memory this would output comes from the process the user\nitself invokes and that runs with the same privileges as the user. We could\nnot come up with a likely scenario where this could leak other users' data or\nmemory contents.\n\nAn external party registered this as a CVE with MITRE and we feel a\nresponsibility to clarify what this flaw is about. The CVE-2017-7407 issue is\nspecifically only about the `%` part of this flaw.\n\nThis flaw only exists in the command line tool." }]