curl / Docs / Vulnerability table / 7.87.0 vulnerabilities

Vulnerabilities in curl 7.87.0

curl version 7.87.0 was released on December 21 2022

It has the following 49 published security problems.

SFlawFirstLast
LCVE-2026-12064: proto-default skips SSH verification7.81.08.20.0
MCVE-2026-11856: cross-origin Digest auth state leak7.10.68.20.0
LCVE-2026-9547: SSH improper host validation7.69.08.20.0
LCVE-2026-8932: incomplete mTLS config matching in conn reuse7.78.20.0
MCVE-2026-8927: env-set cross-proxy Digest auth state leak7.12.08.20.0
LCVE-2026-8924: trailing dot domain super cookie7.46.08.20.0
LCVE-2026-8458: wrong reuse for different services7.43.08.20.0
LCVE-2026-8286: wrong STARTTLS connection reuse7.30.08.20.0
MCVE-2026-7168: cross-proxy Digest auth state leak7.12.08.19.0
MCVE-2026-6429: netrc credential leak with reused proxy connection7.14.08.19.0
LCVE-2026-6276: stale custom cookie host causes cookie leak7.71.08.19.0
MCVE-2026-6253: proxy credentials leak over redirect-to proxy7.14.18.19.0
LCVE-2026-5773: wrong reuse of SMB connection7.40.08.19.0
MCVE-2026-5545: wrong reuse of HTTP Negotiate connection7.10.68.19.0
LCVE-2026-4873: connection reuse ignores TLS requirement7.20.08.19.0
LCVE-2026-3784: wrong proxy connection reuse with credentials7.78.18.0
MCVE-2026-3783: token leak with redirect and netrc7.33.08.18.0
MCVE-2026-1965: bad reuse of HTTP Negotiate connection7.10.68.18.0
LCVE-2025-15224: libssh key passphrase bypass without agent set7.58.08.17.0
LCVE-2025-15079: libssh global known_hosts override7.58.08.17.0
LCVE-2025-14819: OpenSSL partial chain store policy bypass7.87.08.17.0
LCVE-2025-14524: bearer token leak on cross-protocol redirect7.33.08.17.0
MCVE-2025-14017: broken TLS options for threaded LDAPS7.17.08.17.0
LCVE-2025-10966: missing SFTP host verification with wolfSSH7.69.08.16.0
LCVE-2025-0725: gzip integer overflow7.10.58.11.1
LCVE-2025-0167: netrc and default credential leak7.76.08.11.1
LCVE-2024-11053: netrc and redirect credential leak7.76.08.11.0
LCVE-2024-9681: HSTS subdomain overwrites parent cache entry7.74.08.10.1
MCVE-2024-8096: OCSP stapling bypass with GnuTLS7.41.08.9.1
LCVE-2024-7264: ASN.1 date parser overread7.32.08.9.0
MCVE-2024-2398: HTTP/2 push headers memory-leak7.44.08.6.0
LCVE-2024-2004: Usage of disabled protocol7.85.08.6.0
LCVE-2023-46219: HSTS long filename clears contents7.84.08.4.0
MCVE-2023-46218: cookie mixed case PSL bypass7.46.08.4.0
LCVE-2023-38546: cookie injection with none file7.9.18.3.0
HCVE-2023-38545: SOCKS5 heap buffer overflow7.69.08.3.0
MCVE-2023-38039: HTTP headers eat all memory7.84.08.2.1
LCVE-2023-28322: more POST-after-PUT confusion7.78.0.1
LCVE-2023-28321: IDN wildcard match7.12.08.0.1
LCVE-2023-28320: siglongjmp race condition7.9.88.0.1
MCVE-2023-28319: UAF in SSH sha256 fingerprint check7.81.08.0.1
LCVE-2023-27538: SSH connection too eager reuse still7.16.17.88.1
LCVE-2023-27536: GSS delegation too eager connection reuse7.22.07.88.1
MCVE-2023-27535: FTP too eager connection reuse7.13.07.88.1
LCVE-2023-27534: SFTP path ~ resolving discrepancy7.18.07.88.1
LCVE-2023-27533: TELNET option IAC injection7.77.88.1
MCVE-2023-23916: HTTP multi-header compression denial of service7.57.07.87.0
LCVE-2023-23915: HSTS amnesia with --parallel7.77.07.87.0
LCVE-2023-23914: HSTS ignored on multiple requests7.77.07.87.0

Further details

CVE data for 7.87.0 provided as JSON.

Changelog for curl 7.87.0

See vulnerability summary for the previous release: 7.86.0 or the subsequent release: 7.88.0