cURL Docs Security
We take security seriously and develop curl and libcurl to be secure and safe.
If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.
We appreciate getting notified in advance before you go public with security advisories for the sake of our users.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
libcurl/darwinssl certificate check bypass
Due to too agressive session re-use, a connection with disabled certificate check can be re-used wrongly even if the certificate check is enabled again and should reject the certificate.
URL request injection vulnerability
libcurl did not reject carriage returns or line feeds embedded in the URL, which could allow request or header injections when communicating over HTTP proxy.
libcurl duphandle read out of bounds
libcurl cookie leak with IP address as domain
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others.
libcurl cookie leak for TLDs
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
libcurl wrong re-use of connections
libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.
libcurl IP address wildcard certificate validation
libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses when built to use OpenSSL.
libcurl not verifying certs for TLS to IP address / Darwinssl
When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl built to use Darwinssl would wrongly not verify the server's name in the certificate.
libcurl not verifying certs for TLS to IP address / Winssl
When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl built to use Winssl would wrongly not verify the server's name in the certificate.
libcurl re-use of wrong HTTP NTLM connection
libcurl can in some circumstances re-use the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request.
libcurl cert name check ignore GnuTLS
libcurl cert name check ignore OpenSSL
libcurl URL decode buffer boundary flaw
The function curl_easy_unescape() decodes URL encoded strings to raw binary data. There's a buffer overflow risk in there.
libcurl cookie domain tailmatch
When communicating over HTTP(S) and having libcurl's cookie engine enabled, libcurl will store and hold cookies for use when subsequent requests are done to hosts and paths that match those kept cookies. Due to a bug in the tailmatching function, libcurl could wrongly send cookies meant for the domain ample.com when communicating with example.com.
libcurl SASL buffer overflow vulnerability
When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.
curl SSL CBC IV vulnerability
curl URL sanitization vulnerability
libcurl inappropriate GSSAPI delegation
When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs.
curl local file overwrite
curl offers a command line option --remote-header-name (also usable as -J) which will use the file name of the Content-disposition: header when it saves the downloaded data locally. It may overwrite a local file using the same name as the header specifies.
libcurl data callback excessive length
When downloading compressed content over HTTP and the app as asked libcurl to automatically uncompress it with the CURLOPT_ENCODING option, libcurl could wrongly provide the callback with more data than what the maximum documented amount. An application could thus get tricked into badness if the maximum limit was trusted to be enforced by libcurl itself (as it is documented).
libcurl embedded zero in cert name
SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields.
libcurl Arbitrary File Access
When told to follow a "redirect" automatically, libcurl does not question the new target URL but will follow to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.
libcurl GnuTLS insufficient cert verification
libcurl (when built to use GnuTLS) fails to verify that a peer's certificate hasn't already expired or hasn't yet become valid. This allows malicious servers to present certificates to libcurl that won't be rejected properly.
libcurl TFTP Packet Buffer Overflow
libcurl URL Buffer Overflow
libcurl NTLM Buffer Overflow
libcurl's NTLM function can overflow a stack-based buffer if given a too long user name or domain name.
Kerberos Authentication Buffer Overflow
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.
NTLM Authentication Buffer Overflow
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation. The announcement was done without contacting us.
Proxy Authentication Header Information Leakage
FTP Server Response Buffer Overflow
When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer. securityfocus lists two exploits