Haxx Curl vulnerabilities

CVE-2015-3143 [MEDIUM] CVE-2015-3143: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remot cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

CVE-2021-22922 [MEDIUM] CWE-840 CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified agai When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several o

CVE-2022-32208 [MEDIUM] CWE-840 CVE-2022-32208: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wron When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

CVE-2019-5443 [HIGH] CWE-94 CVE-2019-5443: A non-privileged user or program can put code and a config file in a known non-privileged path (unde A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in th

CVE-2022-27776 [MEDIUM] CWE-522 CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authenticati A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVE-2016-8616 [MEDIUM] CWE-592 CVE-2016-8616: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insen A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused

CVE-2021-22947 [MEDIUM] CWE-310 CVE-2021-22947: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *b

CVE-2024-2466 [MEDIUM] CWE-297 CVE-2024-2466: libcurl did not check the server certificate of TLS connections done to a host specified as an IP ad libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTP

CVE-2026-3784 [MEDIUM] CWE-305 CVE-2026-3784: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the ne curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

CVE-2023-27535 [MEDIUM] CVE-2023-27535: An authentication bypass vulnerability exists in libcurl <8 An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CU

CVE-2014-0138 [MEDIUM] CVE-2014-0138: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) PO The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

CVE-2017-1000101 [MEDIUM] CWE-119 CVE-2017-1000101: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterat curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. Th

CVE-2022-32205 [MEDIUM] CWE-770 CVE-2022-32205: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl a A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to av

CVE-2016-3739 [MEDIUM] CWE-20 CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

CVE-2015-3237 [MEDIUM] CWE-20 CVE-2015-3237: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers t The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.

CVE-2025-0665 [HIGH] CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection cha libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2017-2629 [MEDIUM] CWE-295 CVE-2017-2629: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could

CVE-2023-27536 [MEDIUM] CVE-2023-27536: An authentication bypass vulnerability exists libcurl <8 An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. Th

CVE-2017-1000099 [MEDIUM] CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently dis