[ { "schema_version": "1.5.0", "id": "CURL-CVE-2025-15224", "aliases": [ "CVE-2025-15224" ], "summary": "libssh key passphrase bypass without agent set", "modified": "2026-01-07T07:59:34.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-15224.json", "www": "https://curl.se/docs/CVE-2025-15224.html", "issue": "https://hackerone.com/reports/3480925", "CWE": { "id": "CWE-287", "desc": "Improper Authentication" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.58.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a"}, {"fixed": "16d5f2a5660c61cc27bd5f1c7f512391d1c927aa"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-15079", "aliases": [ "CVE-2025-15079" ], "summary": "libssh global known_hosts override", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-15079.json", "www": "https://curl.se/docs/CVE-2025-15079.html", "issue": "https://hackerone.com/reports/3477116", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.58.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a"}, {"fixed": "adca486c125d9a6d9565b9607a19dce803a8b479"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14819", "aliases": [ "CVE-2025-14819" ], "summary": "OpenSSL partial chain store policy bypass", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-14819.json", "www": "https://curl.se/docs/CVE-2025-14819.html", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.87.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3c16697ebd796f799227be293e8689aec5f8190d"}, {"fixed": "cd046f6c93b39d673a58c18648d8906e954c4f5d"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14524", "aliases": [ "CVE-2025-14524" ], "summary": "bearer token leak on cross-protocol redirect", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-14524.json", "www": "https://curl.se/docs/CVE-2025-14524.html", "issue": "https://hackerone.com/reports/3459417", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"}, {"fixed": "1a822275d333dc6da6043497160fd04c8fa48640"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "anonymous237 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14017", "aliases": [ "CVE-2025-14017" ], "summary": "broken TLS options for threaded LDAPS", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-14017.json", "www": "https://curl.se/docs/CVE-2025-14017.html", "CWE": { "id": "CWE-567", "desc": "Unsynchronized Access to Shared Data in a Multi-threaded Context" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Medium" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.17.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34"}, {"fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-10966", "aliases": [ "CVE-2025-10966" ], "summary": "missing SFTP host verification with wolfSSH", "modified": "2025-11-11T11:36:34.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-10966.json", "www": "https://curl.se/docs/CVE-2025-10966.html", "issue": "https://hackerone.com/reports/3355218", "CWE": { "id": "CWE-322", "desc": "Key Exchange without Entity Authentication" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.16.0", "severity": "Low" }, "published": "2025-11-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.69.0"}, {"fixed": "8.17.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "6773c7ca65cf2183295e56603f9b86a5ce816a06"}, {"fixed": "b011e3fcfb06d6c0278595ee2ee297036fbe9793"} ] } ], "versions": [ "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0725", "aliases": [ "CVE-2025-0725" ], "summary": "gzip integer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0725.json", "www": "https://curl.se/docs/CVE-2025-0725.html", "issue": "https://hackerone.com/reports/2956023", "CWE": { "id": "CWE-680", "desc": "Integer Overflow to Buffer Overflow" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "019c4088cfcca0d2b7c5cc4f52ca5dac0c616089"}, {"fixed": "76f83f0db23846e254d940ec7fe141010077eb88"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0167", "aliases": [ "CVE-2025-0167" ], "summary": "netrc and default credential leak", "modified": "2025-11-05T13:56:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0167.json", "www": "https://curl.se/docs/CVE-2025-0167.html", "issue": "https://hackerone.com/reports/2917232", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "0e120c5b925e8ca75d5319e319e5ce4b8080d8eb"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Yihang Zhou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-11053", "aliases": [ "CVE-2024-11053" ], "summary": "netrc and redirect credential leak", "modified": "2025-11-05T13:56:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-11053.json", "www": "https://curl.se/docs/CVE-2024-11053.html", "issue": "https://hackerone.com/reports/2829063", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.0", "severity": "Low" }, "published": "2024-12-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.11.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "e9b9bbac22c26cf67316fa8e6c6b9e831af31949"} ] } ], "versions": [ "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-9681", "aliases": [ "CVE-2024-9681" ], "summary": "HSTS subdomain overwrites parent cache entry", "modified": "2024-11-07T23:43:58.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-9681.json", "www": "https://curl.se/docs/CVE-2024-9681.html", "issue": "https://hackerone.com/reports/2764830", "CWE": { "id": "CWE-1025", "desc": "Comparison Using Wrong Factors" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.10.1", "severity": "Low" }, "published": "2024-11-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.74.0"}, {"fixed": "8.11.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "a94973805df96269bf3f3bf0a20ccb9887313316"} ] } ], "versions": [ "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0" ] } ], "credits": [ { "name": "newfunction", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-8096", "aliases": [ "CVE-2024-8096" ], "summary": "OCSP stapling bypass with GnuTLS", "modified": "2024-10-24T18:05:41.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-8096.json", "www": "https://curl.se/docs/CVE-2024-8096.html", "issue": "https://hackerone.com/reports/2669852", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.9.1", "severity": "Medium" }, "published": "2024-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.41.0"}, {"fixed": "8.10.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f13669a375f5bfd14797bda91642cabe076974fa"}, {"fixed": "aeb1a281cab13c7ba791cb104e556b20e713941f"} ] } ], "versions": [ "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as OCSP stapling, to verify that the server certificate is valid,\nit might fail to detect some OCSP problems and instead wrongly consider the\nresponse as fine.\n\nIf the returned status reports another error than \"revoked\" (like for example\n\"unauthorized\") it is not treated as a bad certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-7264", "aliases": [ "CVE-2024-7264" ], "summary": "ASN.1 date parser overread", "modified": "2024-07-31T09:57:12.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-7264.json", "www": "https://curl.se/docs/CVE-2024-7264.html", "issue": "https://hackerone.com/reports/2629968", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.9.0", "severity": "Low" }, "published": "2024-07-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.32.0"}, {"fixed": "8.9.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d"}, {"fixed": "27959ecce75cdb2809c0bdb3286e60e08fadb519"} ] } ], "versions": [ "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0" ] } ], "credits": [ { "name": "Dov Murik (Transmit Security)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2398", "aliases": [ "CVE-2024-2398" ], "summary": "HTTP/2 push headers memory-leak", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2024-2398.json", "www": "https://curl.se/docs/CVE-2024-2398.html", "issue": "https://hackerone.com/reports/2402845", "CWE": { "id": "CWE-772", "desc": "Missing Release of Resource after Effective Lifetime" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Medium" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.44.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ea7134ac874a66107e54ff93657ac565cf2ec4aa"}, {"fixed": "deca8039991886a559b67bcd6701db800a5cf764"} ] } ], "versions": [ "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an application tells libcurl it wants to allow HTTP/2 server push, and\nthe amount of received headers for the push surpasses the maximum allowed\nlimit (1000), libcurl aborts the server push. When aborting, libcurl\ninadvertently does not free all the previously allocated headers and instead\nleaks the memory.\n\nFurther, this error condition fails silently and is therefore not easily\ndetected by an application." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2004", "aliases": [ "CVE-2024-2004" ], "summary": "Usage of disabled protocol", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-2004.json", "www": "https://curl.se/docs/CVE-2024-2004.html", "issue": "https://hackerone.com/reports/2384833", "CWE": { "id": "CWE-115", "desc": "Misinterpretation of Input" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Low" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.85.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e6f8445edef8e7996d1cfb141d6df184efef972c"}, {"fixed": "17d302e56221f5040092db77d4f85086e8a20e0e"} ] } ], "versions": [ "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0" ] } ], "credits": [ { "name": "Dan Fandrich", "type": "FINDER" }, { "name": "Daniel Gustafsson", "type": "REMEDIATION_DEVELOPER" } ], "details": "When a protocol selection parameter option disables all protocols without\nadding any then the default set of protocols would remain in the allowed set\ndue to an error in the logic for removing protocols. The below command would\nperform a request to curl.se with a plaintext protocol which has been\nexplicitly disabled.\n\n curl --proto -all,-http http://curl.se\n\nThe flaw is only present if the set of selected protocols disables the entire\nset of available protocols, in itself a command with no practical use and\ntherefore unlikely to be encountered in real situations. The curl security team\nhas thus assessed this to be low severity bug." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-46219", "aliases": [ "CVE-2023-46219" ], "summary": "HSTS long filename clears contents", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-46219.json", "www": "https://curl.se/docs/CVE-2023-46219.html", "issue": "https://hackerone.com/reports/2236133", "CWE": { "id": "CWE-311", "desc": "Missing Encryption of Sensitive Data" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.4.0", "severity": "Low" }, "published": "2023-12-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.84.0"}, {"fixed": "8.5.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "20f9dd6bae50b7223171b17ba7798946e74f877f"}, {"fixed": "73b65e94f3531179de45c6f3c836a610e3d0a846"} ] } ], "versions": [ "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0" ] } ], "credits": [ { "name": "Maksymilian Arciemowicz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When saving HSTS data to an excessively long filename, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-46218", "aliases": [ "CVE-2023-46218" ], "summary": "cookie mixed case PSL bypass", "modified": "2024-01-12T23:40:27.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-46218.json", "www": "https://curl.se/docs/CVE-2023-46218.html", "issue": "https://hackerone.com/reports/2212193", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.4.0", "severity": "Medium" }, "published": "2023-12-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.46.0"}, {"fixed": "8.5.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e77b5b7453c1e8ccd7ec0816890d98e2f392e465"}, {"fixed": "2b0994c29a721c91c572cff7808c572a24d251eb"} ] } ], "versions": [ "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a\nlowercase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL\ndomain." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38546", "aliases": [ "CVE-2023-38546" ], "summary": "cookie injection with none file", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-38546.json", "www": "https://curl.se/docs/CVE-2023-38546.html", "issue": "https://hackerone.com/reports/2148242", "CWE": { "id": "CWE-73", "desc": "External Control of filename or Path" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.3.0", "severity": "Low" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.1"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "74d5a6fb3b9a96d9fa51ba90996e94c878ebd151"}, {"fixed": "61275672b46d9abb3285740467b882e22ed75da8"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows an attacker to intentionally inject cookies into a running\nprogram using libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates an easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the filename as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl, when using the correct file format of course." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38545", "aliases": [ "CVE-2023-38545" ], "summary": "SOCKS5 heap buffer overflow", "modified": "2023-11-19T16:44:33.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-38545.json", "www": "https://curl.se/docs/CVE-2023-38545.html", "issue": "https://hackerone.com/reports/2187833", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "4660", "currency": "USD" }, "last_affected": "8.3.0", "severity": "High" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.69.0"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4a4b63daaa01ef59b131d91e8e6e6dfe275c0f08"}, {"fixed": "fb4415d8aee6c1045be932a34fe6107c2f5ed147"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0" ] } ], "credits": [ { "name": "Jay Satiro", "type": "FINDER" }, { "name": "Jay Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the hostname to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that hostname can be is 255 bytes.\n\nIf the hostname is detected to be longer than 255 bytes, curl switches to\nlocal name resolving and instead passes on the resolved address only to the\nproxy. Due to a bug, the local variable that means \"let the host resolve the\nname\" could get the wrong value during a slow SOCKS5 handshake, and contrary\nto the intention, copy the too long hostname to the target buffer instead of\ncopying just the resolved address there." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38039", "aliases": [ "CVE-2023-38039" ], "summary": "HTTP headers eat all memory", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-38039.json", "www": "https://curl.se/docs/CVE-2023-38039.html", "issue": "https://hackerone.com/reports/2072338", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.2.1", "severity": "Medium" }, "published": "2023-09-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.84.0"}, {"fixed": "8.3.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4d94fac9f0d1dd02b8308291e4c47651142dc28b"}, {"fixed": "3ee79c1674fd6f99e8efca52cd7510e08b766770"} ] } ], "versions": [ "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0" ] } ], "credits": [ { "name": "selmelc on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit on the size or quantity of headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers to a client and eventually cause curl to run out of heap memory." }]