Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

curl — Vulnerabilities & Security Advisories 39

Browse all 39 CVE security advisories affecting curl. AI-powered Chinese analysis, POCs, and references for each vulnerability.

CURL is a widely utilized command-line tool and library for transferring data with URL syntax, supporting protocols like HTTP, HTTPS, and FTP. Its ubiquity in automation scripts and embedded systems makes it a frequent target for attackers seeking initial access or data exfiltration. Historically, vulnerabilities in the software have predominantly involved buffer overflows, integer overflows, and improper input validation, leading to potential remote code execution or denial-of-service conditions. While cross-site scripting is less relevant due to its non-browser nature, privilege escalation risks arise when executed with elevated permissions. Notable incidents include critical flaws allowing attackers to bypass security checks or execute arbitrary commands through crafted URLs. With 39 recorded CVEs, maintaining updated versions is essential to mitigate these persistent risks associated with its extensive protocol support and deep integration into global infrastructure.

Top products by curl: curl
CVE IDTitleCVSSSeverityPublished
CVE-2026-3805 use after free in SMB connection reuse — curl 9.1 -2026-03-11
CVE-2026-3784 wrong proxy connection reuse with credentials — curl 7.5 -2026-03-11
CVE-2026-3783 token leak with redirect and netrc — curl 6.5 -2026-03-11
CVE-2026-1965 bad reuse of HTTP Negotiate connection — curl 7.7 -2026-03-11
CVE-2025-11563 wcurl path traversal with percent-encoded slashes — curl 9.1AICriticalAI2026-02-25
CVE-2025-15224 libssh key passphrase bypass without agent set — curl 9.8 -2026-01-08
CVE-2025-15079 libssh global known_hosts override — curl 7.5 -2026-01-08
CVE-2025-14819 OpenSSL partial chain store policy bypass — curl 8.2 -2026-01-08
CVE-2025-14524 bearer token leak on cross-protocol redirect — curl 4.3 -2026-01-08
CVE-2025-14017 broken TLS options for threaded LDAPS — curl 4.3 -2026-01-08
CVE-2025-13034 No QUIC certificate pinning with GnuTLS — curl 7.5 -2026-01-08
CVE-2025-10966 missing SFTP host verification with wolfSSH — curl 7.4 -2025-11-07
CVE-2025-10148 predictable WebSocket mask — curl 7.1 -2025-09-12
CVE-2025-9086 Out of bounds read for cookie path — curl 8.1 -2025-09-12
CVE-2025-5399 WebSocket endless loop — curl 7.5AIHighAI2025-06-07
CVE-2025-5025 No QUIC certificate pinning with wolfSSL — curl 6.5AIMediumAI2025-05-28
CVE-2025-4947 QUIC certificate check skip with wolfSSL — curl 7.4AIHighAI2025-05-28
CVE-2025-0725 gzip integer overflow — curl 8.8 -2025-02-05
CVE-2025-0665 eventfd double close — curl 7.1 -2025-02-05
CVE-2025-0167 netrc and default credential leak — curl 5.9 -2025-02-05
CVE-2024-11053 netrc and redirect credential leak — curl 6.5 -2024-12-11
CVE-2024-9681 HSTS subdomain overwrites parent cache entry — curl 5.9AIMediumAI2024-11-06
CVE-2024-8096 OCSP stapling bypass with GnuTLS — curl 7.5AIHighAI2024-09-11
CVE-2024-7264 ASN.1 date parser overread — curl 9.1AICriticalAI2024-07-31
CVE-2024-6874 macidn punycode buffer overread — curl 9.1AICriticalAI2024-07-24
CVE-2024-6197 freeing stack buffer in utf8asn1str — curl 9.1AICriticalAI2024-07-24
CVE-2024-2466 TLS certificate check bypass with mbedTLS — curl 5.9 -2024-03-27
CVE-2024-2379 QUIC certificate check bypass with wolfSSL — curl 7.5 -2024-03-27
CVE-2024-2398 HTTP/2 push headers memory-leak — curl--2024-03-27
CVE-2024-2004 Usage of disabled protocol — curl 7.5 -2024-03-27

This page lists every published CVE security advisory associated with curl. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.