Haxx Curl vulnerabilities

CVE-2021-22876 [MEDIUM] curl vulnerabilities curl vulnerabilities Viktor Szakats discovered that curl did not strip off user credentials from referrer header fields. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2021-22876) Mingtao Yang discovered that curl incorrectly handled session tickets when using an HTTPS proxy. A remote attacker in control of an HTTPS proxy could use this issue to bypass certificate checks and intercept communications. This issue

CVE-2023-23915 [MEDIUM] CWE-319 CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could c A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS

CVE-2024-8096 [MEDIUM] CWE-295 CVE-2024-8096: When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP sta When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not

CVE-2023-28321 [MEDIUM] CWE-295 CVE-2023-28321: An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports match An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would mat

CVE-2022-27774 [MEDIUM] CWE-522 CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CVE-2025-13034 [MEDIUM] CWE-295 CVE-2025-13034: When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To ski

CVE-2015-3236 [MEDIUM] CWE-200 CVE-2015-3236: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2016-4802 [HIGH] CWE-264 CVE-2016-4802: Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SS Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.

CVE-2014-3613 [MEDIUM] CWE-310 CVE-2014-3613: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which a cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

CVE-2021-22925 [MEDIUM] CWE-200 CVE-2021-22925: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revea

CVE-2014-3620 [MEDIUM] CWE-310 CVE-2014-3620: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cooki cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.

CVE-2025-4947 [MEDIUM] CWE-295 CVE-2025-4947: libcurl accidentally skips the certificate verification for QUIC connections when connecting to a ho libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

CVE-2026-6253 [MEDIUM] CWE-522 CVE-2026-6253: curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen whe curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is

CVE-2026-4873 [MEDIUM] CWE-319 CVE-2026-4873: A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted c A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.

CVE-2026-7168 [MEDIUM] CWE-294 CVE-2026-7168: Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** au Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.

CVE-2014-0139 [MEDIUM] CWE-310 CVE-2014-0139: cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

CVE-2022-35260 [MEDIUM] CWE-125 CVE-2022-35260: curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 cons curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also

CVE-2023-23916 [MEDIUM] CWE-770 CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemente

CVE-2024-2379 [MEDIUM] CWE-295 CVE-2024-2379: libcurl skips the certificate verification for a QUIC connection under certain conditions, when buil libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

CVE-2022-27779 [MEDIUM] CWE-201 CVE-2022-27779: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided wi libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast preven