Haxx Curl vulnerabilities

CVE-2025-9086 [HIGH] CWE-125 CVE-2025-9086: 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or oth 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored.

CVE-2016-8624 [HIGH] CWE-20 CVE-2016-8624: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request th

CVE-2018-16890 [HIGH] CVE-2018-16890: libcurl versions from 7 libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer r

CVE-2024-6197 [HIGH] CVE-2024-6197: libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available

CVE-2026-5545 [MEDIUM] CWE-613 CVE-2026-5545: libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTT libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria

CVE-2018-1000121 [HIGH] CWE-476 CVE-2018-1000121: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service

CVE-2003-1605 [HIGH] CWE-255 CVE-2003-1605: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.

CVE-2025-5399 [HIGH] CWE-835 CVE-2025-5399: Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted pac Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.

CVE-2026-3805 [HIGH] CWE-416 CVE-2026-3805: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointi When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

CVE-2018-16842 [CRITICAL] CWE-125 CVE-2018-16842: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

CVE-2022-27778 [HIGH] CWE-706 CVE-2022-27778: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `- A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

CVE-2016-8621 [HIGH] CWE-125 CVE-2016-8621: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.

CVE-2026-1965 [MEDIUM] CWE-305 CVE-2026-1965: libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authentic libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the c

CVE-2017-8818 [CRITICAL] CWE-119 CVE-2017-8818: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.

CVE-2020-8231 [HIGH] curl vulnerabilities curl vulnerabilities Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information. This issue only affected Ubuntu 20.10. (CVE-2020-8231) Varnavas Papaioannou discovered that curl incorrectly handled FTP PASV responses. An attacker could possibly use this issue to trick curl into connecting to an arbitrary IP address

CVE-2020-8169 [HIGH] CWE-200 CVE-2020-8169: curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

CVE-2005-0490 [HIGH] CWE-131 CVE-2005-0490: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the

CVE-2022-27782 [HIGH] CWE-840 CVE-2022-27782: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been ch libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match che

CVE-2022-42916 [HIGH] CWE-319 CVE-2022-42916: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using it In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replac

CVE-2025-0725 [HIGH] CWE-120 CVE-2025-0725: When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.