Haxx Curl vulnerabilities

CVE-2016-8622 [CRITICAL] CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7 The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing

CVE-2016-8620 [CRITICAL] CWE-120 CVE-2016-8620: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and o The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.

CVE-2021-22926 [HIGH] CWE-840 CVE-2021-22926: libcurl-using applications can ask for a specific client certificate to be used in a transfer. This libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same opt

CVE-2017-2628 [CRITICAL] CVE-2017-2628: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

CVE-2013-2617 [HIGH] CWE-94 Curl Gem insufficient URL escaping command injection Curl Gem insufficient URL escaping command injection `lib/curl.rb` in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVE-2016-5421 [HIGH] CVE-2016-5421: Use-after-free vulnerability in libcurl before 7 Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.

CVE-2018-1000005 [CRITICAL] CVE-2018-1000005: libcurl 7 libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently c

CVE-2017-8817 [CRITICAL] CWE-125 CVE-2017-8817: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denia The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.

CVE-2017-1000257 [CRITICAL] CVE-2017-1000257: An IMAP FETCH response line indicates the size of the returned data, in number of bytes An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the leng

CVE-2018-1000301 [CRITICAL] CWE-125 CVE-2018-1000301: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerabi curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl = 7.60.0.

CVE-2017-1000254 [HIGH] CVE-2017-1000254: libcurl may read outside of a heap allocated buffer when doing FTP libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw

CVE-2016-9586 [HIGH] CWE-122 CVE-2016-9586: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point outp curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

CVE-2023-23914 [CRITICAL] CWE-319 CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could c A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would howe

CVE-2026-5773 [HIGH] CWE-918 CVE-2026-5773: libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl featur libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested

CVE-2018-16840 [CRITICAL] CWE-416 CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that

CVE-2023-28319 [HIGH] CWE-416 CVE-2023-28319: A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the err

CVE-2020-8286 [HIGH] CVE-2020-8286: curl 7 curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

CVE-2016-8615 [HIGH] CWE-99 CVE-2016-8615: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

CVE-2015-3144 [CRITICAL] CWE-119 CVE-2015-3144: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an i The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

CVE-2024-7264 [MEDIUM] CVE-2024-7264: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a cra