cURL cURL > Docs > Security

curl Security

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

libcurl duphandle read out of bounds

Date:November 5, 2014
IDCVE-2014-3707 20141105
Affected versionsfrom libcurl 7.17.1 to and including 7.38.0
Not affected versionslibcurl >= 7.39.0
Patch CVE-2014-3707.patch
Advisories Project cURL Security Advisory

Sending a binary HTTP POST with CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() can lead to sending of wrong data from the heap.

libcurl cookie leak with IP address as domain

Date:September 10, 2014
IDCVE-2014-3613 20140910A
Affected versionsfrom libcurl 7.1 to and including 7.37.1
Not affected versionslibcurl >= 7.38.0
Patch CVE-2014-3613.patch
Advisories Project cURL Security Advisory

By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others.

libcurl cookie leak for TLDs

Date:September 10, 2014
IDCVE-2014-3620 20140910B
Affected versionsfrom libcurl 7.31 to and including 7.37.1
Not affected versionslibcurl < 7.31 and libcurl >= 7.38.0
Patch CVE-2014-3620.patch
Advisories Project cURL Security Advisory

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

libcurl wrong re-use of connections

Date:March 26, 2014
IDCVE-2014-0138 20140326A
Affected versionsfrom libcurl 7.10.6 to and including 7.35.0
Not affected versionslibcurl < 7.10.6 and >= 7.36.0
Patch libcurl-bad-reuse.patch
Advisories Project cURL Security Advisory

libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.

libcurl IP address wildcard certificate validation

Date:March 26, 2014
IDCVE-2014-0139 20140326B
Affected versionsfrom libcurl 7.1 to and including 7.35.0
Not affected versionslibcurl >= 7.36.0
Patch libcurl-reject-cert-ip-wildcards.patch
Advisories Project cURL Security Advisory

libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses when built to use OpenSSL.

libcurl not verifying certs for TLS to IP address / Darwinssl

Date:March 26, 2014
IDCVE-2014-1263 20140326C
Affected versionsfrom libcurl 7.27.0 to and including 7.35.0
Not affected versionslibcurl < 7.27.0 and >= 7.36.0
Patch commit afc6e5004fabee
Advisories Project cURL Security Advisory

When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl built to use Darwinssl would wrongly not verify the server's name in the certificate.

libcurl not verifying certs for TLS to IP address / Winssl

Date:March 26, 2014
IDCVE-2014-2522 20140326D
Affected versionsfrom libcurl 7.27.0 to and including 7.35.0
Not affected versionslibcurl < 7.27.0 and >= 7.36.0
Patch commit 63fc8ee7be2b71
Advisories Project cURL Security Advisory

When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl built to use Winssl would wrongly not verify the server's name in the certificate.

libcurl re-use of wrong HTTP NTLM connection

Date:January 29, 2014
IDCVE-2014-0015 20140129
Affected versionsfrom libcurl 7.10.6 to and including 7.34.0
Not affected versionslibcurl < 7.10.6 and >= 7.35.0
Patch for libcurl >= 7.28.0 for libcurl <= 7.27
Advisories Project cURL Security Advisory

libcurl can in some circumstances re-use the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request.

libcurl cert name check ignore GnuTLS

Date:December 17, 2013
IDCVE-2013-6422 20131217
Affected versionsfrom libcurl 7.21.4 to and including 7.33.0
Not affected versionslibcurl < 7.21.4 and >= 7.34.0
Patchcve-2013-6422.patch
Advisories Project cURL Security Advisory

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use GnuTLS.

libcurl cert name check ignore OpenSSL

Date:November 15, 2013
IDCVE-2013-4545 20131115
Affected versionsfrom libcurl 7.18.0 to and including 7.32.0
Not affected versionslibcurl < 7.18.0 and >= 7.33.0
Patchcommit 3c3622b6
Advisories Project cURL Security Advisory

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use OpenSSL.

libcurl URL decode buffer boundary flaw

Date:June 22, 2013
IDCVE-2013-2174 20130622
Affected versionsfrom libcurl 7.7 to and including 7.30.0
Not affected versionslibcurl < 7.7 and >= 7.31.0
Patchcurl-unescape.patch
Advisories Project cURL Security Advisory

The function curl_easy_unescape() decodes URL encoded strings to raw binary data. There's a buffer overflow risk in there.

libcurl cookie domain tailmatch

Date:April 12, 2013
IDCVE-2013-1944 20130412
Affected versionsall versions, to and including 7.29.0
Not affected versions>= 7.30.0
Patchcurl-tailmatch.patch
Advisories Project cURL Security Advisory

When communicating over HTTP(S) and having libcurl's cookie engine enabled, libcurl will store and hold cookies for use when subsequent requests are done to hosts and paths that match those kept cookies. Due to a bug in the tailmatching function, libcurl could wrongly send cookies meant for the domain ample.com when communicating with example.com.

libcurl SASL buffer overflow vulnerability

Date:February 6, 2013
IDCVE-2013-0249 20130206
Affected versions7.26.0 to and including 7.28.1
Not affected versions< 7.26.0 and >= 7.29.0
PatchCurl_sasl_create_digest_md5_message-fix-buffer-overf.patch
Advisories Project cURL Security Advisory, Volema's description, securityfocus

When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.

curl SSL CBC IV vulnerability

Date:January 24, 2012
ID (permalink)
Affected versions7.10.6 to and including 7.23.1
Not affected versions< 7.10.6 and >= 7.24.0
Patchcurl-dont-insert-empty-fragments.patch
Advisories Project cURL Security Advisory

When built to use OpenSSL, curl would wrongly disable the workaround for SSL weaknesses in SSL3.0 and TLS1.0.

curl URL sanitization vulnerability

Date:January 24, 2012
IDCVE-2012-0036 (permalink)
Affected versions7.20.0 to and including 7.23.1
Not affected versions< 7.20.0 and >= 7.24.0
Patchcurl-url-sanitize.patch
Advisories Project cURL Security Advisory

When using URLs for the protocols IMAP, POP3 or SMTP curl wouldn't properly sanitize data passed in, which would allow users to cause malice by embedding url encoded control characters.

libcurl inappropriate GSSAPI delegation

Date:June 23, 2011
IDCVE-2011-2192 (permalink)
Affected versions7.10.6 to and including 7.21.6
Not affected versions<= 7.10.5 and >= 7.21.7
Patchcurl-gssapi-delegation.patch
Advisories Project cURL Security Advisory

When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs.

curl local file overwrite

Date:October 13, 2010
IDCVE-2010-3842 (permalink)
Affected versions7.20.0 to and including 7.21.1
Not affected versions<= 7.20.0 and >= 7.21.2
Patchcurl-content-disposition.patch
Advisories Project cURL Security Advisory

curl offers a command line option --remote-header-name (also usable as -J) which will use the file name of the Content-disposition: header when it saves the downloaded data locally. It may overwrite a local file using the same name as the header specifies.

libcurl data callback excessive length

Date:February 9, 2010
IDCVE-2010-0734 (permalink)
Affected versions7.10.5 to and including 7.19.7
Not affected versions<= 7.10.4 and >= 7.20.0
Patchlibcurl-contentencoding.patch
Advisories Project cURL Security Advisory

When downloading compressed content over HTTP and the app as asked libcurl to automatically uncompress it with the CURLOPT_ENCODING option, libcurl could wrongly provide the callback with more data than what the maximum documented amount. An application could thus get tricked into badness if the maximum limit was trusted to be enforced by libcurl itself (as it is documented).

libcurl embedded zero in cert name

Date:August 12, 2009
ID CVE-2009-2417 (permalink)
Affected versions7.4 to and including 7.19.5
Not affected versions7.19.6 and later
Patchescurl.haxx.se/CVE-2009-2417
Advisories Project cURL Security Advisory

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields.

libcurl Arbitrary File Access

Date:March 3, 2009
ID CVE-2009-0037 (permalink)
Affected versions5.11 to and including 7.19.3
Not affected versions5.10 and earlier, 7.19.4 and later
Patchescurl.haxx.se/CVE-2009-0037
Advisories Project cURL Security Advisory

When told to follow a "redirect" automatically, libcurl does not question the new target URL but will follow to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.

libcurl GnuTLS insufficient cert verification

Date:July 10, 2007
ID BID 24938 CVE-2007-3564 (permalink)
Affected versions7.14.0 to and including 7.16.3
Not affected versions7.13.2 and earlier, 7.16.4 and later
Patchlibcurl-gnutlscert.patch
Advisories Project cURL Security Advisory

libcurl (when built to use GnuTLS) fails to verify that a peer's certificate hasn't already expired or hasn't yet become valid. This allows malicious servers to present certificates to libcurl that won't be rejected properly.

Notably, the cacert and common name checks are still in place which reduces the risk for random servers to take advantage of this flaw.

libcurl TFTP Packet Buffer Overflow

Date:March 20, 2006
ID BID 17154 SA19271 CVE-2006-1061 (permalink)
Affected versions7.15.0 to and including 7.15.2
Not affected versions7.14.1 and earlier, 7.15.3 and later
Patchlibcurl-tftp.patch
Advisories Project cURL Security Advisory

libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check.

libcurl URL Buffer Overflow

Date:December 7, 2005
IDBID 15756 SA17907 CVE-2005-4077 (permalink)
Affected versions7.11.2 to and including 7.15.0
Not affected versions7.11.1 and earlier, 7.15.1 and later
Patchlibcurl-urllen.patch (Note: for 7.14.0 and earlier the patch MUST be made to do +3 and not just +2.
Advisories Project cURL Security Advisory Hardened-PHP Advisory

libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL.

libcurl NTLM Buffer Overflow

Date:October 13, 2005
IDBID 15102 CAN-2005-3185 (permalink)
Affected versions7.10.6 to and including 7.14.1
Not affected versions7.10.5 and earlier, 7.15.0 and later
Patchlibcurl-ntlmbuf.patch
AdvisoriesProject cURL Security Advisory, iDEFENSE's advisory

libcurl's NTLM function can overflow a stack-based buffer if given a too long user name or domain name.

Kerberos Authentication Buffer Overflow

Date:February 21, 2005
IDBID 12616 CAN-2005-0490 (permalink)
Affected versions7.3 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.

NTLM Authentication Buffer Overflow

Date:February 21, 2005
IDBID 12615 CAN-2005-0490 (permalink)
Affected versions7.10.6 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation. The announcement was done without contacting us.

Proxy Authentication Header Information Leakage

Date:August 3, 2003
IDBID 8432 (permalink)
Affected versions7.1 to and including 7.10.6
Not affected versions7.10.7 and later

When curl connected to a site via an HTTP proxy with the CONNECT request, the user and password used for the proxy connection was also sent off to the remote server.

FTP Server Response Buffer Overflow

Date:October 13, 2000
ID BID 1804 CVE-2000-0973 (permalink)
Affected versions6.0 (and possibly earlier) to and including 7.4
Not affected versions7.4.1 and later

When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer. securityfocus lists two exploits