[ { "schema_version": "1.5.0", "id": "CURL-CVE-2026-3784", "aliases": [ "CVE-2026-3784" ], "summary": "wrong proxy connection reuse with credentials", "modified": "2026-03-11T07:49:13.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-3784.json", "www": "https://curl.se/docs/CVE-2026-3784.html", "issue": "https://hackerone.com/reports/3584903", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "8.18.0", "severity": "Low" }, "published": "2026-03-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.19.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "5f13a7645e565c5c1a06f3ef86e97afb856fb364"} ] } ], "versions": [ "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Muhamad Arga Reksapati (HackerOne: nobcoder)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2026-3783", "aliases": [ "CVE-2026-3783" ], "summary": "token leak with redirect and netrc", "modified": "2026-03-11T07:49:13.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-3783.json", "www": "https://curl.se/docs/CVE-2026-3783.html", "issue": "https://hackerone.com/reports/3583983", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "last_affected": "8.18.0", "severity": "Medium" }, "published": "2026-03-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "8.19.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"}, {"fixed": "e3d7401a32a46516c9e5ee877e613e62ed35bddc"} ] } ], "versions": [ "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "spectreglobalsec on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2026-1965", "aliases": [ "CVE-2026-1965" ], "summary": "bad reuse of HTTP Negotiate connection", "modified": "2026-03-11T07:49:13.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-1965.json", "www": "https://curl.se/docs/CVE-2026-1965.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "8.18.0", "severity": "Medium" }, "published": "2026-03-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "8.19.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e56ae1426cb7a0a4a427cf8d6099a821fdaae428"}, {"fixed": "f1a39f221d57354990e3eeeddc3404aede2aff70"} ] } ], "versions": [ "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Zhicheng Chen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API)." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-15224", "aliases": [ "CVE-2025-15224" ], "summary": "libssh key passphrase bypass without agent set", "modified": "2026-01-07T07:59:34.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-15224.json", "www": "https://curl.se/docs/CVE-2025-15224.html", "issue": "https://hackerone.com/reports/3480925", "CWE": { "id": "CWE-287", "desc": "Improper Authentication" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.58.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a"}, {"fixed": "16d5f2a5660c61cc27bd5f1c7f512391d1c927aa"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-15079", "aliases": [ "CVE-2025-15079" ], "summary": "libssh global known_hosts override", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-15079.json", "www": "https://curl.se/docs/CVE-2025-15079.html", "issue": "https://hackerone.com/reports/3477116", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.58.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a"}, {"fixed": "adca486c125d9a6d9565b9607a19dce803a8b479"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14819", "aliases": [ "CVE-2025-14819" ], "summary": "OpenSSL partial chain store policy bypass", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-14819.json", "www": "https://curl.se/docs/CVE-2025-14819.html", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.87.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3c16697ebd796f799227be293e8689aec5f8190d"}, {"fixed": "cd046f6c93b39d673a58c18648d8906e954c4f5d"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14524", "aliases": [ "CVE-2025-14524" ], "summary": "bearer token leak on cross-protocol redirect", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-14524.json", "www": "https://curl.se/docs/CVE-2025-14524.html", "issue": "https://hackerone.com/reports/3459417", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Low" }, "published": "2026-01-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"}, {"fixed": "1a822275d333dc6da6043497160fd04c8fa48640"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "anonymous237 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-14017", "aliases": [ "CVE-2025-14017" ], "summary": "broken TLS options for threaded LDAPS", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-14017.json", "www": "https://curl.se/docs/CVE-2025-14017.html", "CWE": { "id": "CWE-567", "desc": "Unsynchronized Access to Shared Data in a Multi-threaded Context" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Medium" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.17.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34"}, {"fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-13034", "aliases": [ "CVE-2025-13034" ], "summary": "No QUIC certificate pinning with GnuTLS", "modified": "2026-01-07T14:25:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-13034.json", "www": "https://curl.se/docs/CVE-2025-13034.html", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.17.0", "severity": "Medium" }, "published": "2026-01-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.8.0"}, {"fixed": "8.18.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3210101088dfa3d6a125d213226b092f2f866722"}, {"fixed": "3d91ca8cdb3b434226e743946d428b4dd3acf2c9"} ] } ], "versions": [ "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool, curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-10966", "aliases": [ "CVE-2025-10966" ], "summary": "missing SFTP host verification with wolfSSH", "modified": "2025-11-11T11:36:34.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-10966.json", "www": "https://curl.se/docs/CVE-2025-10966.html", "issue": "https://hackerone.com/reports/3355218", "CWE": { "id": "CWE-322", "desc": "Key Exchange without Entity Authentication" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.16.0", "severity": "Low" }, "published": "2025-11-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.69.0"}, {"fixed": "8.17.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "6773c7ca65cf2183295e56603f9b86a5ce816a06"}, {"fixed": "b011e3fcfb06d6c0278595ee2ee297036fbe9793"} ] } ], "versions": [ "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0" ] } ], "credits": [ { "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-10148", "aliases": [ "CVE-2025-10148" ], "summary": "predictable WebSocket mask", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-10148.json", "www": "https://curl.se/docs/CVE-2025-10148.html", "issue": "https://hackerone.com/reports/3330839", "CWE": { "id": "CWE-340", "desc": "Generation of Predictable Numbers or Identifiers" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.15.0", "severity": "Low" }, "published": "2025-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.11.0"}, {"fixed": "8.16.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d78e129d50b2d190f1c1bde2ad1f62f02f152db0"}, {"fixed": "84db7a9eae8468c0445b15aa806fa7fa806fa0f2"} ] } ], "versions": [ "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0" ] } ], "credits": [ { "name": "Calvin Ruocco (Vector Informatik GmbH)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's WebSocket code did not update the 32-bit mask pattern for each new\noutgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-5025", "aliases": [ "CVE-2025-5025" ], "summary": "No QUIC certificate pinning with wolfSSL", "modified": "2025-05-28T08:10:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-5025.json", "www": "https://curl.se/docs/CVE-2025-5025.html", "issue": "https://hackerone.com/reports/3153497", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.13.0", "severity": "Medium" }, "published": "2025-05-28T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.5.0"}, {"fixed": "8.14.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c"}, {"fixed": "e1f65937a96a451292e9231339672797da86ecc5"} ] } ], "versions": [ "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-4947", "aliases": [ "CVE-2025-4947" ], "summary": "QUIC certificate check skip with wolfSSL", "modified": "2025-05-28T08:10:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-4947.json", "www": "https://curl.se/docs/CVE-2025-4947.html", "issue": "https://hackerone.com/reports/3150884", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.13.0", "severity": "Medium" }, "published": "2025-05-28T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.8.0"}, {"fixed": "8.14.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4c46e277b2a0c0489de0e0fcb91f315c62f0369c"}, {"fixed": "a85f1df4803bbd272905c9e712537b41afeafbd3"} ] } ], "versions": [ "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl accidentally skips the certificate verification for QUIC connections\nwhen connecting to a host specified as an IP address in the URL. Therefore, it\ndoes not detect impostors or man-in-the-middle attacks." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0725", "aliases": [ "CVE-2025-0725" ], "summary": "gzip integer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0725.json", "www": "https://curl.se/docs/CVE-2025-0725.html", "issue": "https://hackerone.com/reports/2956023", "CWE": { "id": "CWE-680", "desc": "Integer Overflow to Buffer Overflow" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "019c4088cfcca0d2b7c5cc4f52ca5dac0c616089"}, {"fixed": "76f83f0db23846e254d940ec7fe141010077eb88"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0167", "aliases": [ "CVE-2025-0167" ], "summary": "netrc and default credential leak", "modified": "2025-11-05T13:56:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0167.json", "www": "https://curl.se/docs/CVE-2025-0167.html", "issue": "https://hackerone.com/reports/2917232", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "0e120c5b925e8ca75d5319e319e5ce4b8080d8eb"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Yihang Zhou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-11053", "aliases": [ "CVE-2024-11053" ], "summary": "netrc and redirect credential leak", "modified": "2025-11-05T13:56:14.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-11053.json", "www": "https://curl.se/docs/CVE-2024-11053.html", "issue": "https://hackerone.com/reports/2829063", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.0", "severity": "Low" }, "published": "2024-12-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.11.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "e9b9bbac22c26cf67316fa8e6c6b9e831af31949"} ] } ], "versions": [ "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password." }]