curl / Docs / Release Docs / Security Problems

curl security problems

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

All known prior vulnerabilities

# Vulnerability Date First Last CVE CWE
84 warning message out-of-buffer read October 31, 2018 7.14.1 7.61.1 CVE-2018-16842 CWE-125: Out-of-bounds Read
83 use-after-free in handle close October 31, 2018 7.59.0 7.61.1 CVE-2018-16840 CWE-416: Use After Free
82 SASL password overflow via integer overflow October 31, 2018 7.33.0 7.61.1 CVE-2018-16839 CWE-131: Incorrect Calculation of Buffer Size
81 NTLM password overflow via integer overflow September 05, 2018 7.15.4 7.61.0 CVE-2018-14618 CWE-131: Incorrect Calculation of Buffer Size
80 SMTP send heap buffer overflow July 11, 2018 7.54.1 7.60.0 CVE-2018-0500 CWE-122: Heap-based Buffer Overflow
79 FTP shutdown response buffer overflow May 16, 2018 7.54.1 7.59.0 CVE-2018-1000300 CWE-122: Heap-based Buffer Overflow
78 RTSP bad headers buffer over-read May 16, 2018 7.20.0 7.59.0 CVE-2018-1000301 CWE-126: Buffer Over-read
77 RTSP RTP buffer over-read March 14, 2018 7.20.0 7.58.0 CVE-2018-1000122 CWE-126: Buffer Over-read
76 LDAP NULL pointer dereference March 14, 2018 7.21.0 7.58.0 CVE-2018-1000121 CWE-476: NULL Pointer Dereference
75 FTP path trickery leads to NIL byte out of bounds write March 14, 2018 7.12.3 7.58.0 CVE-2018-1000120 CWE-122: Heap-based Buffer Overflow
74 HTTP authentication leak in redirects January 24, 2018 6.0 7.57.0 CVE-2018-1000007 CWE-522: Insufficiently Protected Credentials
73 HTTP/2 trailer out-of-bounds read January 24, 2018 7.49.0 7.57.0 CVE-2018-1000005 CWE-126: Buffer Over-read
72 SSL out of buffer access November 29, 2017 7.56.0 7.56.1 CVE-2017-8818 CWE-125: Out-of-bounds Read
71 FTP wildcard out of bounds read November 29, 2017 7.21.0 7.56.1 CVE-2017-8817 CWE-126: Buffer Over-read
70 NTLM buffer overflow via integer overflow November 29, 2017 7.36.0 7.56.1 CVE-2017-8816 CWE-131: Incorrect Calculation of Buffer Size
69 IMAP FETCH response out of bounds read October 12, 2017 7.20.0 7.56.0 CVE-2017-1000257 CWE-126: Buffer Over-read
68 FTP PWD response parser out of bounds read October 04, 2017 7.7 7.55.1 CVE-2017-1000254 CWE-126: Buffer Over-read
67 URL globbing out of bounds read August 09, 2017 7.34.0 7.54.1 CVE-2017-1000101 CWE-126: Buffer Over-read
66 TFTP sends more than buffer size August 09, 2017 7.15.0 7.54.1 CVE-2017-1000100 CWE-126: Buffer Over-read
65 FILE buffer read out of bounds August 09, 2017 7.54.1 7.54.1 CVE-2017-1000099 CWE-170: Improper Null Termination
64 URL file scheme drive letter buffer overflow June 14, 2017 7.53.0 7.54.0 CVE-2017-9502 CWE-122: Heap-based Buffer Overflow
63 TLS session resumption client cert bypass (again) April 19, 2017 7.52.0 7.53.1 CVE-2017-7468 CWE-305: Authentication Bypass by Primary Weakness
62 --write-out out of buffer read April 03, 2017 6.5 7.53.1 CVE-2017-7407 CWE-126: Buffer Over-read
61 SSL_VERIFYSTATUS ignored February 22, 2017 7.52.0 7.52.1 CVE-2017-2629 CWE-304: Missing Critical Step in Authentication
60 uninitialized random December 23, 2016 7.52.0 7.52.0 CVE-2016-9594 CWE-330: Use of Insufficiently Random Values
59 printf floating point buffer overflow December 21, 2016 7.1 7.51.0 CVE-2016-9586 CWE-121: Stack-based Buffer Overflow
58 Win CE schannel cert wildcard matches too much December 21, 2016 7.30.0 7.51.0 CVE-2016-9952 CWE-295: Improper Certificate Validation
57 Win CE schannel cert name out of buffer read December 21, 2016 7.30.0 7.51.0 CVE-2016-9953 CWE-126: Buffer Over-read
56 cookie injection for other servers November 02, 2016 7.1 7.50.3 CVE-2016-8615 CWE-187: Partial Comparison
55 case insensitive password comparison November 02, 2016 7.7 7.50.3 CVE-2016-8616 CWE-178: Improper Handling of Case Sensitivity
54 OOB write via unchecked multiplication November 02, 2016 7.1 7.50.3 CVE-2016-8617 CWE-131: Incorrect Calculation of Buffer Size
53 double-free in curl_maprintf November 02, 2016 7.1 7.50.3 CVE-2016-8618 CWE-415: Double Free
52 double-free in krb5 code November 02, 2016 7.3 7.50.3 CVE-2016-8619 CWE-415: Double Free
51 glob parser write/read out of bounds November 02, 2016 7.34.0 7.50.3 CVE-2016-8620 CWE-122: Heap-based Buffer Overflow
50 curl_getdate read out of bounds November 02, 2016 7.12.2 7.50.3 CVE-2016-8621 CWE-126: Buffer Over-read
49 URL unescape heap overflow via integer truncation November 02, 2016 7.24.0 7.50.3 CVE-2016-8622 CWE-122: Heap-based Buffer Overflow
48 Use-after-free via shared cookies November 02, 2016 7.10.7 7.50.3 CVE-2016-8623 CWE-416: Use After Free
47 invalid URL parsing with '#' November 02, 2016 7.1 7.50.3 CVE-2016-8624 CWE-172: Encoding Error
46 IDNA 2003 makes curl use wrong host November 02, 2016 7.12.0 7.50.3 CVE-2016-8625 CWE-838: Inappropriate Encoding for Output Context
45 curl escape and unescape integer overflows September 14, 2016 7.11.1 7.50.2 CVE-2016-7167 CWE-131: Incorrect Calculation of Buffer Size
44 Incorrect reuse of client certificates September 07, 2016 7.19.6 7.50.1 CVE-2016-7141 CWE-305: Authentication Bypass by Primary Weakness
43 TLS session resumption client cert bypass August 03, 2016 7.1 7.50.0 CVE-2016-5419 CWE-305: Authentication Bypass by Primary Weakness
42 Re-using connections with wrong client cert August 03, 2016 7.1 7.50.0 CVE-2016-5420 CWE-305: Authentication Bypass by Primary Weakness
41 use of connection struct after free August 03, 2016 7.32.0 7.50.0 CVE-2016-5421 CWE-416: Use After Free
40 Windows DLL hijacking May 30, 2016 7.11.1 7.49.0 CVE-2016-4802 CWE-94: Improper Control of Generation of Code ('Code Injection')
39 TLS certificate check bypass with mbedTLS/PolarSSL May 18, 2016 7.21.0 7.48.0 CVE-2016-3739 CWE-297: Improper Validation of Certificate with Host Mismatch
38 remote file name path traversal in curl tool for Windows January 27, 2016 7.20.0 7.46.0 CVE-2016-0754 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
37 NTLM credentials not-checked for proxy connection re-use January 27, 2016 7.10.7 7.46.0 CVE-2016-0755 CWE-305: Authentication Bypass by Primary Weakness
36 SMB send off unrelated memory contents June 17, 2015 7.40.0 7.42.1 CVE-2015-3237 CWE-126: Buffer Over-read
35 lingering HTTP credentials in connection re-use June 17, 2015 7.40.0 7.42.1 CVE-2015-3236 CWE-305: Authentication Bypass by Primary Weakness
34 sensitive HTTP server headers also sent to proxies April 29, 2015 7.1 7.42.0 CVE-2015-3153 CWE-201: Information Exposure Through Sent Data
33 host name out of boundary memory access April 22, 2015 7.37.0 7.41.0 CVE-2015-3144 CWE-124: Buffer Underwrite ('Buffer Underflow')
32 cookie parser out of boundary memory access April 22, 2015 7.31.0 7.41.0 CVE-2015-3145 CWE-124: Buffer Underwrite ('Buffer Underflow')
31 Negotiate not treated as connection-oriented April 22, 2015 7.10.6 7.41.0 CVE-2015-3148 CWE-305: Authentication Bypass by Primary Weakness
30 Re-using authenticated connection when unauthenticated April 22, 2015 7.10.6 7.41.0 CVE-2015-3143 CWE-305: Authentication Bypass by Primary Weakness
29 darwinssl certificate check bypass January 08, 2015 7.31.0 7.39.0 CVE-2014-8151 CWE-297: Improper Validation of Certificate with Host Mismatch
28 URL request injection January 08, 2015 6.0 7.39.0 CVE-2014-8150 CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
27 duphandle read out of bounds November 05, 2014 7.17.1 7.38.0 CVE-2014-3707 CWE-126: Buffer Over-read
26 cookie leak for TLDs September 10, 2014 7.31.0 7.37.1 CVE-2014-3620 CWE-201: Information Exposure Through Sent Data
25 cookie leak with IP address as domain September 10, 2014 7.1 7.37.1 CVE-2014-3613 CWE-201: Information Exposure Through Sent Data
24 not verifying certs for TLS to IP address / Winssl March 26, 2014 7.26.0 7.35.0 CVE-2014-2522 CWE-297: Improper Validation of Certificate with Host Mismatch
23 not verifying certs for TLS to IP address / Darwinssl March 26, 2014 7.26.0 7.35.0 CVE-2014-1263 CWE-297: Improper Validation of Certificate with Host Mismatch
22 IP address wildcard certificate validation March 26, 2014 7.1 7.35.0 CVE-2014-0139 CWE-297: Improper Validation of Certificate with Host Mismatch
21 wrong re-use of connections March 26, 2014 7.10.7 7.35.0 CVE-2014-0138 CWE-305: Authentication Bypass by Primary Weakness
20 re-use of wrong HTTP NTLM connection January 29, 2014 7.10.6 7.34.0 CVE-2014-0015 CWE-305: Authentication Bypass by Primary Weakness
19 cert name check ignore GnuTLS December 17, 2013 7.21.4 7.33.0 CVE-2013-6422 CWE-297: Improper Validation of Certificate with Host Mismatch
18 cert name check ignore OpenSSL November 15, 2013 7.18.0 7.32.0 CVE-2013-4545 CWE-297: Improper Validation of Certificate with Host Mismatch
17 URL decode buffer boundary flaw June 22, 2013 7.7 7.30.0 CVE-2013-2174 CWE-126: Buffer Over-read
16 cookie domain tailmatch April 12, 2013 6.0 7.29.0 CVE-2013-1944 CWE-201: Information Exposure Through Sent Data
15 SASL buffer overflow February 06, 2013 7.26.0 7.28.1 CVE-2013-0249 CWE-121: Stack-based Buffer Overflow
14 SSL CBC IV vulnerability January 24, 2012 7.10.6 7.23.1 CVE-2011-3389 CWE-924: Improper Enforcement of Message Integrity
13 URL sanitization vulnerability January 24, 2012 7.20.0 7.23.1 CVE-2012-0036 CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
12 inappropriate GSSAPI delegation June 23, 2011 7.10.6 7.21.6 CVE-2011-2192 CWE-281: Improper Preservation of Permissions
11 local file overwrite October 13, 2010 7.20.0 7.21.1 CVE-2010-3842 CWE-30: Path Traversal
10 data callback excessive length February 09, 2010 7.10.5 7.19.7 CVE-2010-0734 CWE-628: Function Call with Incorrectly Specified Arguments
9 embedded zero in cert name August 12, 2009 7.4 7.19.5 CVE-2009-2417 CWE-170: Improper Null Termination
8 Arbitrary File Access March 03, 2009 6.0 7.19.3 CVE-2009-0037 CWE-142: Improper Neutralization of Value Delimiters
7 GnuTLS insufficient cert verification July 10, 2007 7.14.0 7.16.3 CVE-2007-3564 CWE-298: Improper Validation of Certificate Expiration
6 TFTP Packet Buffer Overflow March 20, 2006 7.15.0 7.15.2 CVE-2006-1061 CWE-122: Heap-based Buffer Overflow
5 URL Buffer Overflow December 07, 2005 7.11.2 7.15.0 CVE-2005-4077 CWE-122: Heap-based Buffer Overflow
4 NTLM Buffer Overflow October 13, 2005 7.10.6 7.14.1 CVE-2005-3185 CWE-121: Stack-based Buffer Overflow
3 Authentication Buffer Overflows February 21, 2005 7.3 7.13.0 CVE-2005-0490 CWE-121: Stack-based Buffer Overflow
2 Proxy Authentication Header Information Leakage August 03, 2003 7.1 7.10.6 CVE-2003-1605 CWE-201: Information Exposure Through Sent Data
1 FTP Server Response Buffer Overflow October 13, 2000 6.0 7.4 CVE-2000-0973 CWE-121: Stack-based Buffer Overflow