curl / Docs / Releases / curl CVEs

curl CVEs

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published vulnerabilities

All | Medium+ | High+ | Critical

(The table below shows vulnerabilities of all severity levels)

#	S	W	C	Vulnerability	Published	First	Last	Awarded
167	L	lib		CVE-2025-5399: WebSocket endless loop	2025-06-04	8.13.0	8.14.0	505 USD
166	M			CVE-2025-5025: No QUIC certificate pinning with wolfSSL	2025-05-28	8.5.0	8.13.0	2540 USD
165	M			CVE-2025-4947: QUIC certificate check skip with wolfSSL	2025-05-28	8.8.0	8.13.0	2540 USD
164	L		C	CVE-2025-0725: gzip integer overflow	2025-02-05	7.10.5	8.11.1	505 USD
163	L			CVE-2025-0665: eventfd double close	2025-02-05	8.11.1	8.11.1	505 USD
162	L			CVE-2025-0167: netrc and default credential	2025-02-05	7.76.0	8.11.1	505 USD
161	L			CVE-2024-11053: netrc and redirect credential	2024-12-11	7.76.0	8.11.0	505 USD
160	L			CVE-2024-9681: HSTS subdomain overwrites parent cache entry	2024-11-05	7.74.0	8.10.1	540 USD
159	M			CVE-2024-8096: OCSP stapling bypass with GnuTLS	2024-09-11	7.41.0	8.9.1	2540 USD
158	L		C	CVE-2024-7264: ASN.1 date parser overread	2024-07-31	7.32.0	8.9.0	540 USD
157	L	lib	C	CVE-2024-6874: macidn punycode buffer overread	2024-07-24	8.8.0	8.8.0	540 USD
156	M		C	CVE-2024-6197: freeing stack buffer in utf8asn1str	2024-07-24	8.6.0	8.8.0	2540 USD
155	M			CVE-2024-2466: TLS certificate check bypass with mbedTLS	2024-03-27	8.5.0	8.6.0	2540 USD
154	M	lib		CVE-2024-2398: HTTP/2 push headers memory-	2024-03-27	7.44.0	8.6.0	2540 USD
153	L			CVE-2024-2379: QUIC certificate check bypass with wolfSSL	2024-03-27	8.6.0	8.6.0	540 USD
152	L			CVE-2024-2004: Usage of disabled protocol	2024-03-27	7.85.0	8.6.0	540 USD
151	L			CVE-2024-0853: OCSP verification bypass with TLS session reuse	2024-01-31	8.5.0	8.5.0	540 USD
150	L			CVE-2023-46219: HSTS long filename clears contents	2023-12-06	7.84.0	8.4.0	540 USD
149	M			CVE-2023-46218: cookie mixed case PSL bypass	2023-12-06	7.46.0	8.4.0	2540 USD
148	L	lib		CVE-2023-38546: cookie injection with none file	2023-10-11	7.9.1	8.3.0	540 USD
147	H		C	CVE-2023-38545: SOCKS5 heap buffer overflow	2023-10-11	7.69.0	8.3.0	4660 USD
146	M			CVE-2023-38039: HTTP headers eat all memory	2023-09-13	7.84.0	8.2.1	2540 USD
145	L	lib		CVE-2023-28322: more POST-after-PUT confusion	2023-05-17	7.7	8.0.1	480 USD
144	L			CVE-2023-28321: IDN wildcard match	2023-05-17	7.12.0	8.0.1	480 USD
143	L	lib		CVE-2023-28320: siglongjmp race condition	2023-05-17	7.9.8	8.0.1	480 USD
142	M		C	CVE-2023-28319: UAF in SSH sha256 fingerprint check	2023-05-17	7.81.0	8.0.1	2400 USD
141	L			CVE-2023-27538: SSH connection too eager reuse still	2023-03-20	7.16.1	7.88.1	480 USD
140	L	lib	C	CVE-2023-27537: HSTS double free	2023-03-20	7.88.0	7.88.1	480 USD
139	L	lib		CVE-2023-27536: GSS delegation too eager connection re-use	2023-03-20	7.22.0	7.88.1	480 USD
138	M			CVE-2023-27535: FTP too eager connection reuse	2023-03-20	7.13.0	7.88.1	2400 USD
137	L			CVE-2023-27534: SFTP path ~ resolving discrepancy	2023-03-20	7.18.0	7.88.1	480 USD
136	L			CVE-2023-27533: TELNET option IAC injection	2023-03-20	7.7	7.88.1	480 USD
135	M			CVE-2023-23916: HTTP multi-header compression denial of service	2023-02-15	7.57.0	7.87.0	2400 USD
134	L			CVE-2023-23915: HSTS amnesia with --parallel	2023-02-15	7.77.0	7.87.0	480 USD
133	L			CVE-2023-23914: HSTS ignored on multiple requests	2023-02-15	7.77.0	7.87.0	480 USD
132	L		C	CVE-2022-43552: HTTP Proxy deny use after free	2022-12-21	7.16.0	7.86.0
131	M			CVE-2022-43551: Another HSTS bypass via IDN	2022-12-21	7.77.0	7.86.0	2400 USD
130	M			CVE-2022-42916: HSTS bypass via IDN	2022-10-26	7.77.0	7.85.0	2400 USD
129	M		C	CVE-2022-42915: HTTP proxy double free	2022-10-26	7.77.0	7.85.0
128	L		C	CVE-2022-35260: .netrc parser out-of-bounds access	2022-10-26	7.84.0	7.85.0	480 USD
127	M	lib		CVE-2022-32221: POST following PUT confusion	2022-10-26	7.7	7.85.0	2400 USD
126	L			CVE-2022-35252: control code in cookie denial of service	2022-08-31	4.9	7.84.0	480 USD
125	L			CVE-2022-32208: FTP-KRB bad message verification	2022-06-27	7.16.4	7.83.1	480 USD
124	M			CVE-2022-32207: Non-preserved file permissions	2022-06-27	7.69.0	7.83.1	2400 USD
123	M			CVE-2022-32206: HTTP compression denial of service	2022-06-27	7.57.0	7.83.1	2400 USD
122	L			CVE-2022-32205: Set-Cookie denial of service	2022-06-27	7.71.0	7.83.1	480 USD
121	M			CVE-2022-30115: HSTS bypass via trailing dot	2022-05-11	7.82.0	7.83.0	2400 USD
120	M			CVE-2022-27782: TLS and SSH connection too eager reuse	2022-05-11	7.16.1	7.83.0	2400 USD
119	L	lib		CVE-2022-27781: CERTINFO never-ending busy-loop	2022-05-11	7.34.0	7.83.0
118	M			CVE-2022-27780: percent-encoded path separator in URL host	2022-05-11	7.80.0	7.83.0	2400 USD
117	M			CVE-2022-27779: cookie for trailing dot TLD	2022-05-11	7.82.0	7.83.0	2400 USD
116	M	tool		CVE-2022-27778: curl removes wrong file on error	2022-05-11	7.83.0	7.83.0	2400 USD
115	L			CVE-2022-27776: Auth/cookie on redirect	2022-04-27	4.9	7.82.0	480 USD
114	L			CVE-2022-27775: Bad local IPv6 connection reuse	2022-04-27	7.65.0	7.82.0	480 USD
113	M			CVE-2022-27774: Credential on redirect	2022-04-27	4.9	7.82.0	2400 USD
112	M			CVE-2022-22576: OAUTH2 bearer bypass in connection re-use	2022-04-27	7.33.0	7.82.0	2400 USD
111	M			CVE-2021-22947: STARTTLS protocol injection via MITM	2021-09-15	7.20.0	7.78.0	1500 USD
110	M			CVE-2021-22946: Protocol downgrade required TLS bypassed	2021-09-15	7.20.0	7.78.0	1000 USD
109	M		C	CVE-2021-22945: UAF and double free in MQTT sending	2021-09-15	7.73.0	7.78.0	1000 USD
108	M			CVE-2021-22926: CURLOPT_SSLCERT mix-up with Secure Transport	2021-07-21	7.33.0	7.77.0	1000 USD
107	M		C	CVE-2021-22925: TELNET stack contents disclosure again	2021-07-21	7.7	7.77.0	800 USD
106	M			CVE-2021-22924: Bad connection reuse due to flawed path name checks	2021-07-21	7.10.4	7.77.0	1200 USD
105	M	tool		CVE-2021-22923: Metalink download sends credentials	2021-07-21	7.27.0	7.77.0	700 USD
104	M	tool		CVE-2021-22922: Wrong content via Metalink not discarded	2021-07-21	7.27.0	7.77.0	700 USD
103	H		C	CVE-2021-22901: TLS session caching disaster	2021-05-26	7.75.0	7.76.1	2000 USD
102	M		C	CVE-2021-22898: TELNET stack contents disclosure	2021-05-26	7.7	7.76.1	1000 USD
101	L			CVE-2021-22897: Schannel cipher selection surprise	2021-05-26	7.61.0	7.76.1	800 USD
100	L			CVE-2021-22890: TLS 1.3 session ticket proxy host mix-up	2021-03-31	7.63.0	7.75.0
99	L			CVE-2021-22876: Automatic referer s credentials	2021-03-31	7.1.1	7.75.0	800 USD
98	M			CVE-2020-8286: Inferior OCSP verification	2020-12-09	7.41.0	7.73.0	900 USD
97	M	lib		CVE-2020-8285: FTP wildcard stack overflow	2020-12-09	7.21.0	7.73.0
96	L			CVE-2020-8284: trusting FTP PASV responses	2020-12-09	4.0	7.73.0	700 USD
95	L	lib		CVE-2020-8231: wrong connect-only connection	2020-08-19	7.29.0	7.71.1	500 USD
94	M	tool		CVE-2020-8177: curl overwrite local file with -J	2020-06-24	7.20.0	7.70.0	700 USD
93	M			CVE-2020-8169: Partial password over DNS on HTTP redirect	2020-06-24	7.62.0	7.70.0	400 USD
92	M		C	CVE-2019-5481: FTP-KRB double free	2019-09-11	7.52.0	7.65.3	200 USD
91	M	lib	C	CVE-2019-5482: TFTP small blocksize heap buffer overflow	2019-09-11	7.19.4	7.65.3	250 USD
90	H			CVE-2019-5443: Windows OpenSSL engine code injection	2019-06-24	7.44.0	7.65.1	200 USD
89	L		C	CVE-2019-5436: TFTP receive buffer overflow	2019-05-22	7.19.4	7.64.1	200 USD
88	L		C	CVE-2019-5435: Integer overflows in URL parser	2019-05-22	7.62.0	7.64.1	150 USD
87	M		C	CVE-2018-16890: NTLM type-2 out-of-bounds buffer read	2019-02-06	7.36.0	7.63.0
86	H		C	CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow	2019-02-06	7.36.0	7.63.0
85	L		C	CVE-2019-3823: SMTP end-of-response out-of-bounds read	2019-02-06	7.34.0	7.63.0
84	L	tool	C	CVE-2018-16842: warning message out-of-buffer read	2018-10-31	7.14.1	7.61.1	100 USD
83	L		C	CVE-2018-16840: use after free in handle close	2018-10-31	7.59.0	7.61.1	100 USD
82	L		C	CVE-2018-16839: SASL password overflow via integer overflow	2018-10-31	7.33.0	7.61.1
81	H		C	CVE-2018-14618: NTLM password overflow via integer overflow	2018-09-05	7.15.4	7.61.0
80	H		C	CVE-2018-0500: SMTP send heap buffer overflow	2018-07-11	7.54.1	7.60.0
79	H		C	CVE-2018-1000300: FTP shutdown response buffer overflow	2018-05-16	7.54.1	7.59.0
78	M		C	CVE-2018-1000301: RTSP bad headers buffer over-read	2018-05-16	7.20.0	7.59.0
77	M		C	CVE-2018-1000122: RTSP RTP buffer over-read	2018-03-14	7.20.0	7.58.0
76	L		C	CVE-2018-1000121: LDAP NULL pointer dereference	2018-03-14	7.21.0	7.58.0
75	H		C	CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write	2018-03-14	7.12.3	7.58.0
74	L			CVE-2018-1000007: HTTP authentication in redirects	2018-01-24	6.0	7.57.0
73	L		C	CVE-2018-1000005: HTTP/2 trailer out-of-bounds read	2018-01-24	7.49.0	7.57.0
72	H		C	CVE-2017-8818: SSL out of buffer access	2017-11-29	7.56.0	7.56.1
71	M	lib	C	CVE-2017-8817: FTP wildcard out of bounds read	2017-11-29	7.21.0	7.56.1
70	M		C	CVE-2017-8816: NTLM buffer overflow via integer overflow	2017-11-29	7.36.0	7.56.1
69	M		C	CVE-2017-1000257: IMAP FETCH response out of bounds read	2017-10-12	7.20.0	7.56.0
68	M		C	CVE-2017-1000254: FTP PWD response parser out of bounds read	2017-10-04	7.7	7.55.1
67	M	tool	C	CVE-2017-1000101: URL globbing out of bounds read	2017-08-09	7.34.0	7.54.1
66	H		C	CVE-2017-1000100: TFTP sends more than buffer size	2017-08-09	7.15.0	7.54.1
65	M		C	CVE-2017-1000099: FILE buffer read out of bounds	2017-08-09	7.54.1	7.54.1
64	H		C	CVE-2017-9502: URL file scheme drive letter buffer overflow	2017-06-14	7.53.0	7.54.0
63	H			CVE-2017-7468: TLS session resumption client cert bypass (again)	2017-04-19	7.52.0	7.53.1
62	M	tool	C	CVE-2017-7407: --write-out out of buffer read	2017-04-03	6.5	7.53.1
61	M			CVE-2017-2629: SSL_VERIFYSTATUS ignored	2017-02-22	7.52.0	7.52.1
60	H			CVE-2016-9594: uninitialized random	2016-12-23	7.52.0	7.52.0
59	M	lib	C	CVE-2016-9586: printf floating point buffer overflow	2016-12-21	5.4	7.51.0
58	M			CVE-2016-9952: Win CE Schannel cert wildcard matches too much	2016-12-21	7.27.0	7.51.0
57	M		C	CVE-2016-9953: Win CE Schannel cert name out of buffer read	2016-12-21	7.27.0	7.51.0
56	H			CVE-2016-8615: cookie injection for other servers	2016-11-02	4.9	7.50.3
55	M			CVE-2016-8616: case insensitive password comparison	2016-11-02	7.7	7.50.3
54	M		C	CVE-2016-8617: OOB write via unchecked multiplication	2016-11-02	7.8.1	7.50.3
53	M	lib	C	CVE-2016-8618: double free in curl_maprintf	2016-11-02	5.4	7.50.3
52	H		C	CVE-2016-8619: double free in krb5 code	2016-11-02	7.3	7.50.3
51	M	tool	C	CVE-2016-8620: glob parser write/read out of bounds	2016-11-02	7.34.0	7.50.3
50	M		C	CVE-2016-8621: curl_getdate read out of bounds	2016-11-02	7.12.2	7.50.3
49	M		C	CVE-2016-8622: URL unescape heap overflow via integer truncation	2016-11-02	7.24.0	7.50.3
48	H	lib	C	CVE-2016-8623: Use after free via shared cookies	2016-11-02	7.10.7	7.50.3
47	M			CVE-2016-8624: invalid URL parsing with '#'	2016-11-02	6.0	7.50.3
46	H			CVE-2016-8625: IDNA 2003 makes curl use wrong host	2016-11-02	7.12.0	7.50.3
45	M	lib	C	CVE-2016-7167: curl escape and unescape integer overflows	2016-09-14	7.11.1	7.50.2
44	H			CVE-2016-7141: Incorrect reuse of client certificates	2016-09-07	7.19.6	7.50.1
43	H			CVE-2016-5419: TLS session resumption client cert bypass	2016-08-03	5.0	7.50.0
42	M			CVE-2016-5420: Re-using connections with wrong client cert	2016-08-03	7.7	7.50.0
41	H	lib	C	CVE-2016-5421: use of connection struct after free	2016-08-03	7.32.0	7.50.0
40	H			CVE-2016-4802: Windows DLL hijacking	2016-05-30	7.11.1	7.49.0
39	H			CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL	2016-05-18	7.21.0	7.48.0
38	H	tool		CVE-2016-0754: remote filename path traversal in curl tool for Windows	2016-01-27	4.0	7.46.0
37	M			CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use	2016-01-27	7.10.7	7.46.0
36	H		C	CVE-2015-3237: SMB send off unrelated memory contents	2015-06-17	7.40.0	7.42.1
35	H			CVE-2015-3236: lingering HTTP credentials in connection re-use	2015-06-17	7.40.0	7.42.1
34	H			CVE-2015-3153: sensitive HTTP server headers also sent to proxies	2015-04-29	4.0	7.42.0
33	M		C	CVE-2015-3144: hostname out of boundary memory access	2015-04-22	7.37.0	7.41.0
32	M		C	CVE-2015-3145: cookie parser out of boundary memory access	2015-04-22	7.31.0	7.41.0
31	M			CVE-2015-3148: Negotiate not treated as connection-oriented	2015-04-22	7.10.6	7.41.0
30	M			CVE-2015-3143: Re-using authenticated connection when unauthenticated	2015-04-22	7.10.6	7.41.0
29	M			CVE-2014-8151: Secure Transport certificate check bypass	2015-01-08	7.31.0	7.39.0
28	H			CVE-2014-8150: URL request injection	2015-01-08	6.0	7.39.0
27	M	lib	C	CVE-2014-3707: duphandle read out of bounds	2014-11-05	7.17.1	7.38.0
26	H			CVE-2014-3620: cookie for TLDs	2014-09-10	7.31.0	7.37.1
25	M			CVE-2014-3613: cookie with IP address as domain	2014-09-10	4.0	7.37.1
24	M			CVE-2014-2522: not verifying certs for TLS to IP address / Schannel	2014-03-26	7.27.0	7.35.0
23	M			CVE-2014-1263: not verifying certs for TLS to IP address / Secure Transport	2014-03-26	7.27.0	7.35.0
22	M			CVE-2014-0139: IP address wildcard certificate validation	2014-03-26	7.10.3	7.35.0
21	M			CVE-2014-0138: wrong re-use of connections	2014-03-26	7.10.6	7.35.0
20	M			CVE-2014-0015: re-use of wrong HTTP NTLM connection	2014-01-29	7.10.6	7.34.0
19	M	lib		CVE-2013-6422: cert name check ignore with GnuTLS	2013-12-17	7.21.4	7.33.0
18	M	lib		CVE-2013-4545: cert name check ignore OpenSSL	2013-11-15	7.18.0	7.32.0
17	H	lib	C	CVE-2013-2174: URL decode buffer boundary flaw	2013-06-22	7.7	7.30.0
16	H			CVE-2013-1944: cookie domain tailmatch	2013-04-12	4.7	7.29.0
15	C		C	CVE-2013-0249: SASL buffer overflow	2013-02-06	7.26.0	7.28.1
14	H			CVE-2011-3389: SSL CBC IV vulnerability	2012-01-24	7.10.6	7.23.1
13	H			CVE-2012-0036: URL sanitization vulnerability	2012-01-24	7.20.0	7.23.1
12	M			CVE-2011-2192: inappropriate GSSAPI delegation	2011-06-23	7.10.6	7.21.6
11	H	tool		CVE-2010-3842: local file overwrite	2010-10-13	7.20.0	7.21.1
10	H	lib		CVE-2010-0734: data callback excessive length	2010-02-09	7.10.5	7.19.7
9	H		C	CVE-2009-2417: embedded zero in cert name	2009-08-12	7.4	7.19.5
8	M			CVE-2009-0037: Arbitrary File Access	2009-03-03	5.11	7.19.3
7	L			CVE-2007-3564: GnuTLS insufficient cert verification	2007-07-10	7.14.0	7.16.3
6	H		C	CVE-2006-1061: TFTP Packet Buffer Overflow	2006-03-20	7.15.0	7.15.2
5	H		C	CVE-2005-4077: URL Buffer Overflow	2005-12-07	7.11.2	7.15.0
4	H		C	CVE-2005-3185: NTLM Buffer Overflow	2005-10-13	7.10.6	7.14.1
3	H		C	CVE-2005-0490: Authentication Buffer Overflows	2005-02-21	7.3	7.13.0
2	H			CVE-2003-1605: Proxy Authentication Header Information age	2003-08-03	4.5	7.10.6
1	C		C	CVE-2000-0973: FTP Server Response Buffer Overflow	2000-10-13	6.0	7.4

C mistakes

Flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE, UNINIT and BAD_FREE.

Retracted security vulnerabilities

Issues no longer considered curl security problems:

CVE-2019-15601 - SMB access smuggling via FILE URL on Windows
CVE-2023-32001 - fopen race condition

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.

The JSON output follows the Open Source Vulnerability format