cURL cURL > Docs > Security

curl Security

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

All known prior vulnerabilities

# Vulnerability Date First Last CVE
35 sensitive HTTP server headers also sent to proxies April 29, 2015 7.1 7.42.0 CVE-2015-3153
34 host name out of boundary memory access April 22, 2015 7.37.0 7.41.0 CVE-2015-3144
33 cookie parser out of boundary memory access April 22, 2015 7.31.0 7.41.0 CVE-2015-3145
32 Negotiate not treated as connection-oriented April 22, 2015 7.10.6 7.41.0 CVE-2015-3148
31 Re-using authenticated connection when unauthenticated April 22, 2015 7.10.6 7.41.0 CVE-2015-3143
30 darwinssl certificate check bypass January 08, 2015 7.31.0 7.39.0 CVE-2014-8151
29 URL request injection January 08, 2015 6.0 7.39.0 CVE-2014-8150
28 duphandle read out of bounds November 05, 2014 7.17.1 7.38.0 CVE-2014-3707
27 cookie leak for TLDs September 10, 2014 7.31.0 7.37.1 CVE-2014-3620
26 cookie leak with IP address as domain September 10, 2014 7.1 7.37.1 CVE-2014-3613
25 not verifying certs for TLS to IP address / Winssl March 26, 2014 7.26.0 7.35.0 CVE-2014-2522
24 not verifying certs for TLS to IP address / Darwinssl March 26, 2014 7.26.0 7.35.0 CVE-2014-1263
23 IP address wildcard certificate validation March 26, 2014 7.1 7.35.0 CVE-2014-0139
22 wrong re-use of connections March 26, 2014 7.10.7 7.35.0 CVE-2014-0138
21 re-use of wrong HTTP NTLM connection January 29, 2014 7.10.6 7.34.0 CVE-2014-0015
20 cert name check ignore GnuTLS December 17, 2013 7.21.4 7.33.0 CVE-2013-6422
19 cert name check ignore OpenSSL November 15, 2013 7.18.0 7.32.0 CVE-2013-4545
18 URL decode buffer boundary flaw June 22, 2013 7.7 7.30.0 CVE-2013-2174
17 cookie domain tailmatch April 12, 2013 6.0 7.29.0 CVE-2013-1944
16 SASL buffer overflow vulnerability February 06, 2013 7.26.0 7.28.1 CVE-2013-0249
15 SSL CBC IV vulnerability January 24, 2012 7.10.6 7.23.1 CVE-2011-3389
14 URL sanitization vulnerability January 24, 2012 7.20.0 7.23.1 CVE-2012-0036
13 inappropriate GSSAPI delegation June 23, 2011 7.10.6 7.21.6 CVE-2011-2192
12 local file overwrite October 13, 2010 7.20.0 7.21.1 CVE-2010-3842
11 data callback excessive length February 09, 2010 7.10.5 7.19.7 CVE-2010-0734
10 embedded zero in cert name August 12, 2009 7.4 7.19.5 CVE-2009-2417
9 Arbitrary File Access March 03, 2009 6.0 7.19.3 CVE-2009-0037
8 GnuTLS insufficient cert verification July 10, 2007 7.14.0 7.16.3 CVE-2007-3564
7 TFTP Packet Buffer Overflow March 20, 2006 7.15.0 7.15.2 CVE-2006-1061
6 URL Buffer Overflow December 07, 2005 7.11.2 7.15.0 CVE-2005-4077
5 NTLM Buffer Overflow October 13, 2005 7.10.6 7.14.1 CVE-2005-3185
4 Kerberos Authentication Buffer Overflow February 21, 2005 7.3 7.13.0 CVE-2005-0490
3 NTLM Authentication Buffer Overflow February 21, 2005 7.10.6 7.13.0 CVE-2005-0490
2 Proxy Authentication Header Information Leakage August 03, 2003 7.1 7.10.6 [missing]
1 FTP Server Response Buffer Overflow October 13, 2000 6.0 7.4 [missing]