curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published vulnerabilities

All | Medium+ | High+ | Critical

(The table below shows vulnerabilities of all severity levels)

# S W C Vulnerability Published First Last Awarded
151
L
CVE-2024-0853: OCSP verification bypass with TLS session reuse 2024-01-31 8.5.0 8.5.0 540 USD
150
L
CVE-2023-46219: HSTS long file name clears contents 2023-12-06 7.84.0 8.4.0 540 USD
149
M
CVE-2023-46218: cookie mixed case PSL bypass 2023-12-06 7.46.0 8.4.0 2540 USD
148
L
lib CVE-2023-38546: cookie injection with none file 2023-10-11 7.9.1 8.3.0 540 USD
147
H
C
CVE-2023-38545: SOCKS5 heap buffer overflow 2023-10-11 7.69.0 8.3.0 4660 USD
146
M
CVE-2023-38039: HTTP headers eat all memory 2023-09-13 7.84.0 8.2.1 2540 USD
145
L
lib CVE-2023-28322: more POST-after-PUT confusion 2023-05-17 7.7 8.0.1 480 USD
144
L
CVE-2023-28321: IDN wildcard match 2023-05-17 7.12.0 8.0.1 480 USD
143
L
lib CVE-2023-28320: siglongjmp race condition 2023-05-17 7.9.8 8.0.1 480 USD
142
M
C
CVE-2023-28319: UAF in SSH sha256 fingerprint check 2023-05-17 7.81.0 8.0.1 2400 USD
141
L
CVE-2023-27538: SSH connection too eager reuse still 2023-03-20 7.16.1 7.88.1 480 USD
140
L
lib
C
CVE-2023-27537: HSTS double free 2023-03-20 7.88.0 7.88.1 480 USD
139
L
lib CVE-2023-27536: GSS delegation too eager connection re-use 2023-03-20 7.22.0 7.88.1 480 USD
138
M
CVE-2023-27535: FTP too eager connection reuse 2023-03-20 7.13.0 7.88.1 2400 USD
137
L
CVE-2023-27534: SFTP path ~ resolving discrepancy 2023-03-20 7.18.0 7.88.1 480 USD
136
L
CVE-2023-27533: TELNET option IAC injection 2023-03-20 7.7 7.88.1 480 USD
135
M
CVE-2023-23916: HTTP multi-header compression denial of service 2023-02-15 7.57.0 7.87.0 2400 USD
134
L
CVE-2023-23915: HSTS amnesia with --parallel 2023-02-15 7.77.0 7.87.0 480 USD
133
L
CVE-2023-23914: HSTS ignored on multiple requests 2023-02-15 7.77.0 7.87.0 480 USD
132
L
C
CVE-2022-43552: HTTP Proxy deny use after free 2022-12-21 7.16.0 7.86.0
131
M
CVE-2022-43551: Another HSTS bypass via IDN 2022-12-21 7.77.0 7.86.0 2400 USD
130
M
CVE-2022-42916: HSTS bypass via IDN 2022-10-26 7.77.0 7.85.0 2400 USD
129
M
C
CVE-2022-42915: HTTP proxy double free 2022-10-26 7.77.0 7.85.0
128
L
C
CVE-2022-35260: .netrc parser out-of-bounds access 2022-10-26 7.84.0 7.85.0 480 USD
127
M
lib CVE-2022-32221: POST following PUT confusion 2022-10-26 7.7 7.85.0 2400 USD
126
L
CVE-2022-35252: control code in cookie denial of service 2022-08-31 4.9 7.84.0 480 USD
125
L
CVE-2022-32208: FTP-KRB bad message verification 2022-06-27 7.16.4 7.83.1 480 USD
124
M
CVE-2022-32207: Non-preserved file permissions 2022-06-27 7.69.0 7.83.1 2400 USD
123
M
CVE-2022-32206: HTTP compression denial of service 2022-06-27 7.57.0 7.83.1 2400 USD
122
L
CVE-2022-32205: Set-Cookie denial of service 2022-06-27 7.71.0 7.83.1 480 USD
121
M
CVE-2022-30115: HSTS bypass via trailing dot 2022-05-11 7.82.0 7.83.0 2400 USD
120
M
CVE-2022-27782: TLS and SSH connection too eager reuse 2022-05-11 7.16.1 7.83.0 2400 USD
119
L
lib CVE-2022-27781: CERTINFO never-ending busy-loop 2022-05-11 7.34.0 7.83.0
118
M
CVE-2022-27780: percent-encoded path separator in URL host 2022-05-11 7.80.0 7.83.0 2400 USD
117
M
CVE-2022-27779: cookie for trailing dot TLD 2022-05-11 7.82.0 7.83.0 2400 USD
116
M
tool CVE-2022-27778: curl removes wrong file on error 2022-05-11 7.83.0 7.83.0 2400 USD
115
L
CVE-2022-27776: Auth/cookie leak on redirect 2022-04-27 4.9 7.82.0 480 USD
114
L
CVE-2022-27775: Bad local IPv6 connection reuse 2022-04-27 7.65.0 7.82.0 480 USD
113
M
CVE-2022-27774: Credential leak on redirect 2022-04-27 4.9 7.82.0 2400 USD
112
M
CVE-2022-22576: OAUTH2 bearer bypass in connection re-use 2022-04-27 7.33.0 7.82.0 2400 USD
111
M
CVE-2021-22947: STARTTLS protocol injection via MITM 2021-09-15 7.20.0 7.78.0 1500 USD
110
M
CVE-2021-22946: Protocol downgrade required TLS bypassed 2021-09-15 7.20.0 7.78.0 1000 USD
109
M
C
CVE-2021-22945: UAF and double free in MQTT sending 2021-09-15 7.73.0 7.78.0 1000 USD
108
M
CVE-2021-22926: CURLOPT_SSLCERT mix-up with Secure Transport 2021-07-21 7.33.0 7.77.0 1000 USD
107
M
C
CVE-2021-22925: TELNET stack contents disclosure again 2021-07-21 7.7 7.77.0 800 USD
106
M
CVE-2021-22924: Bad connection reuse due to flawed path name checks 2021-07-21 7.10.4 7.77.0 1200 USD
105
M
tool CVE-2021-22923: Metalink download sends credentials 2021-07-21 7.27.0 7.77.0 700 USD
104
M
tool CVE-2021-22922: Wrong content via Metalink not discarded 2021-07-21 7.27.0 7.77.0 700 USD
103
H
C
CVE-2021-22901: TLS session caching disaster 2021-05-26 7.75.0 7.76.1 2000 USD
102
M
C
CVE-2021-22898: TELNET stack contents disclosure 2021-05-26 7.7 7.76.1 1000 USD
101
L
CVE-2021-22897: Schannel cipher selection surprise 2021-05-26 7.61.0 7.76.1 800 USD
100
L
CVE-2021-22890: TLS 1.3 session ticket proxy host mix-up 2021-03-31 7.63.0 7.75.0
99
L
CVE-2021-22876: Automatic referer leaks credentials 2021-03-31 7.1.1 7.75.0 800 USD
98
M
CVE-2020-8286: Inferior OCSP verification 2020-12-09 7.41.0 7.73.0 900 USD
97
M
lib CVE-2020-8285: FTP wildcard stack overflow 2020-12-09 7.21.0 7.73.0
96
L
CVE-2020-8284: trusting FTP PASV responses 2020-12-09 4.0 7.73.0 700 USD
95
L
lib CVE-2020-8231: wrong connect-only connection 2020-08-19 7.29.0 7.71.1 500 USD
94
M
tool CVE-2020-8177: curl overwrite local file with -J 2020-06-24 7.20.0 7.70.0 700 USD
93
M
CVE-2020-8169: Partial password leak over DNS on HTTP redirect 2020-06-24 7.62.0 7.70.0 400 USD
92
M
C
CVE-2019-5481: FTP-KRB double free 2019-09-11 7.52.0 7.65.3 200 USD
91
M
lib
C
CVE-2019-5482: TFTP small blocksize heap buffer overflow 2019-09-11 7.19.4 7.65.3 250 USD
90
H
CVE-2019-5443: Windows OpenSSL engine code injection 2019-06-24 7.44.0 7.65.1 200 USD
89
L
C
CVE-2019-5436: TFTP receive buffer overflow 2019-05-22 7.19.4 7.64.1 200 USD
88
L
C
CVE-2019-5435: Integer overflows in URL parser 2019-05-22 7.62.0 7.64.1 150 USD
87
M
C
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read 2019-02-06 7.36.0 7.63.0
86
H
C
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow 2019-02-06 7.36.0 7.63.0
85
L
C
CVE-2019-3823: SMTP end-of-response out-of-bounds read 2019-02-06 7.34.0 7.63.0
84
L
tool
C
CVE-2018-16842: warning message out-of-buffer read 2018-10-31 7.14.1 7.61.1 100 USD
83
L
C
CVE-2018-16840: use after free in handle close 2018-10-31 7.59.0 7.61.1 100 USD
82
L
C
CVE-2018-16839: SASL password overflow via integer overflow 2018-10-31 7.33.0 7.61.1
81
H
C
CVE-2018-14618: NTLM password overflow via integer overflow 2018-09-05 7.15.4 7.61.0
80
H
C
CVE-2018-0500: SMTP send heap buffer overflow 2018-07-11 7.54.1 7.60.0
79
H
C
CVE-2018-1000300: FTP shutdown response buffer overflow 2018-05-16 7.54.1 7.59.0
78
M
C
CVE-2018-1000301: RTSP bad headers buffer over-read 2018-05-16 7.20.0 7.59.0
77
M
C
CVE-2018-1000122: RTSP RTP buffer over-read 2018-03-14 7.20.0 7.58.0
76
L
C
CVE-2018-1000121: LDAP NULL pointer dereference 2018-03-14 7.21.0 7.58.0
75
H
C
CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write 2018-03-14 7.12.3 7.58.0
74
L
CVE-2018-1000007: HTTP authentication leak in redirects 2018-01-24 6.0 7.57.0
73
L
C
CVE-2018-1000005: HTTP/2 trailer out-of-bounds read 2018-01-24 7.49.0 7.57.0
72
H
C
CVE-2017-8818: SSL out of buffer access 2017-11-29 7.56.0 7.56.1
71
M
lib
C
CVE-2017-8817: FTP wildcard out of bounds read 2017-11-29 7.21.0 7.56.1
70
M
C
CVE-2017-8816: NTLM buffer overflow via integer overflow 2017-11-29 7.36.0 7.56.1
69
M
C
CVE-2017-1000257: IMAP FETCH response out of bounds read 2017-10-12 7.20.0 7.56.0
68
M
C
CVE-2017-1000254: FTP PWD response parser out of bounds read 2017-10-04 7.7 7.55.1
67
M
tool
C
CVE-2017-1000101: URL globbing out of bounds read 2017-08-09 7.34.0 7.54.1
66
H
C
CVE-2017-1000100: TFTP sends more than buffer size 2017-08-09 7.15.0 7.54.1
65
M
C
CVE-2017-1000099: FILE buffer read out of bounds 2017-08-09 7.54.1 7.54.1
64
H
C
CVE-2017-9502: URL file scheme drive letter buffer overflow 2017-06-14 7.53.0 7.54.0
63
H
CVE-2017-7468: TLS session resumption client cert bypass (again) 2017-04-19 7.52.0 7.53.1
62
M
tool
C
CVE-2017-7407: --write-out out of buffer read 2017-04-03 6.5 7.53.1
61
M
CVE-2017-2629: SSL_VERIFYSTATUS ignored 2017-02-22 7.52.0 7.52.1
60
H
CVE-2016-9594: uninitialized random 2016-12-23 7.52.0 7.52.0
59
M
lib
C
CVE-2016-9586: printf floating point buffer overflow 2016-12-21 5.4 7.51.0
58
M
CVE-2016-9952: Win CE Schannel cert wildcard matches too much 2016-12-21 7.27.0 7.51.0
57
M
C
CVE-2016-9953: Win CE Schannel cert name out of buffer read 2016-12-21 7.27.0 7.51.0
56
H
CVE-2016-8615: cookie injection for other servers 2016-11-02 4.9 7.50.3
55
M
CVE-2016-8616: case insensitive password comparison 2016-11-02 7.7 7.50.3
54
M
C
CVE-2016-8617: OOB write via unchecked multiplication 2016-11-02 7.8.1 7.50.3
53
M
lib
C
CVE-2016-8618: double free in curl_maprintf 2016-11-02 5.4 7.50.3
52
H
C
CVE-2016-8619: double free in krb5 code 2016-11-02 7.3 7.50.3
51
M
tool
C
CVE-2016-8620: glob parser write/read out of bounds 2016-11-02 7.34.0 7.50.3
50
M
C
CVE-2016-8621: curl_getdate read out of bounds 2016-11-02 7.12.2 7.50.3
49
M
C
CVE-2016-8622: URL unescape heap overflow via integer truncation 2016-11-02 7.24.0 7.50.3
48
H
lib
C
CVE-2016-8623: Use after free via shared cookies 2016-11-02 7.10.7 7.50.3
47
M
CVE-2016-8624: invalid URL parsing with '#' 2016-11-02 6.0 7.50.3
46
H
CVE-2016-8625: IDNA 2003 makes curl use wrong host 2016-11-02 7.12.0 7.50.3
45
M
lib
C
CVE-2016-7167: curl escape and unescape integer overflows 2016-09-14 7.11.1 7.50.2
44
H
CVE-2016-7141: Incorrect reuse of client certificates 2016-09-07 7.19.6 7.50.1
43
H
CVE-2016-5419: TLS session resumption client cert bypass 2016-08-03 5.0 7.50.0
42
M
CVE-2016-5420: Re-using connections with wrong client cert 2016-08-03 7.7 7.50.0
41
H
lib
C
CVE-2016-5421: use of connection struct after free 2016-08-03 7.32.0 7.50.0
40
H
CVE-2016-4802: Windows DLL hijacking 2016-05-30 7.11.1 7.49.0
39
H
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL 2016-05-18 7.21.0 7.48.0
38
H
tool CVE-2016-0754: remote file name path traversal in curl tool for Windows 2016-01-27 4.0 7.46.0
37
M
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use 2016-01-27 7.10.7 7.46.0
36
H
C
CVE-2015-3237: SMB send off unrelated memory contents 2015-06-17 7.40.0 7.42.1
35
H
CVE-2015-3236: lingering HTTP credentials in connection re-use 2015-06-17 7.40.0 7.42.1
34
H
CVE-2015-3153: sensitive HTTP server headers also sent to proxies 2015-04-29 4.0 7.42.0
33
M
C
CVE-2015-3144: host name out of boundary memory access 2015-04-22 7.37.0 7.41.0
32
M
C
CVE-2015-3145: cookie parser out of boundary memory access 2015-04-22 7.31.0 7.41.0
31
M
CVE-2015-3148: Negotiate not treated as connection-oriented 2015-04-22 7.10.6 7.41.0
30
M
CVE-2015-3143: Re-using authenticated connection when unauthenticated 2015-04-22 7.10.6 7.41.0
29
M
CVE-2014-8151: Secure Transport certificate check bypass 2015-01-08 7.31.0 7.39.0
28
H
CVE-2014-8150: URL request injection 2015-01-08 6.0 7.39.0
27
M
lib
C
CVE-2014-3707: duphandle read out of bounds 2014-11-05 7.17.1 7.38.0
26
H
CVE-2014-3620: cookie leak for TLDs 2014-09-10 7.31.0 7.37.1
25
M
CVE-2014-3613: cookie leak with IP address as domain 2014-09-10 4.0 7.37.1
24
M
CVE-2014-2522: not verifying certs for TLS to IP address / Schannel 2014-03-26 7.27.0 7.35.0
23
M
CVE-2014-1263: not verifying certs for TLS to IP address / Secure Transport 2014-03-26 7.27.0 7.35.0
22
M
CVE-2014-0139: IP address wildcard certificate validation 2014-03-26 7.10.3 7.35.0
21
M
CVE-2014-0138: wrong re-use of connections 2014-03-26 7.10.6 7.35.0
20
M
CVE-2014-0015: re-use of wrong HTTP NTLM connection 2014-01-29 7.10.6 7.34.0
19
M
lib CVE-2013-6422: cert name check ignore with GnuTLS 2013-12-17 7.21.4 7.33.0
18
M
lib CVE-2013-4545: cert name check ignore OpenSSL 2013-11-15 7.18.0 7.32.0
17
H
lib
C
CVE-2013-2174: URL decode buffer boundary flaw 2013-06-22 7.7 7.30.0
16
H
CVE-2013-1944: cookie domain tailmatch 2013-04-12 4.7 7.29.0
15
C
C
CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
14
H
CVE-2011-3389: SSL CBC IV vulnerability 2012-01-24 7.10.6 7.23.1
13
H
CVE-2012-0036: URL sanitization vulnerability 2012-01-24 7.20.0 7.23.1
12
M
CVE-2011-2192: inappropriate GSSAPI delegation 2011-06-23 7.10.6 7.21.6
11
H
tool CVE-2010-3842: local file overwrite 2010-10-13 7.20.0 7.21.1
10
H
lib CVE-2010-0734: data callback excessive length 2010-02-09 7.10.5 7.19.7
9
H
C
CVE-2009-2417: embedded zero in cert name 2009-08-12 7.4 7.19.5
8
M
CVE-2009-0037: Arbitrary File Access 2009-03-03 5.11 7.19.3
7
L
CVE-2007-3564: GnuTLS insufficient cert verification 2007-07-10 7.14.0 7.16.3
6
H
C
CVE-2006-1061: TFTP Packet Buffer Overflow 2006-03-20 7.15.0 7.15.2
5
H
C
CVE-2005-4077: URL Buffer Overflow 2005-12-07 7.11.2 7.15.0
4
H
C
CVE-2005-3185: NTLM Buffer Overflow 2005-10-13 7.10.6 7.14.1
3
H
C
CVE-2005-0490: Authentication Buffer Overflows 2005-02-21 7.3 7.13.0
2
H
CVE-2003-1605: Proxy Authentication Header Information Leakage 2003-08-03 4.5 7.10.6
1
C
C
CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

C mistakes

The flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE and UNINIT.

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.

The JSON output follows the Open Source Vulnerability format