Haxx Curl vulnerabilities

CVE-2025-10148 [MEDIUM] CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the spe curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involve

CVE-2026-6429 [MEDIUM] CVE-2026-6429: When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could l When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

CVE-2023-27537 [MEDIUM] CVE-2023-27537: A double free vulnerability exists in libcurl <8 A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

CVE-2021-22897 [MEDIUM] CWE-840 CVE-2021-22897: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake i curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple

CVE-2021-22923 [MEDIUM] CWE-319 CVE-2021-22923: When curl is instructed to get content using the metalink feature, and a user name and password are When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and witho

CVE-2013-1944 [MEDIUM] CWE-200 CVE-2013-1944: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the pat The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.

CVE-2023-28320 [MEDIUM] CWE-400 CVE-2023-28320: A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several differe A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that wa

CVE-2022-43552 [MEDIUM] CWE-416 CVE-2022-43552: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all p A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfe

CVE-2010-0734 [MEDIUM] CVE-2010-0734: content_encoding content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.

CVE-2023-27538 [MEDIUM] CVE-2023-27538: An authentication bypass vulnerability exists in libcurl prior to v8 An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the confi

CVE-2015-3153 [MEDIUM] CWE-200 CVE-2015-3153: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the p The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

CVE-2026-3783 [MEDIUM] CWE-522 CVE-2026-3783: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect t When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would

CVE-2014-8150 [MEDIUM] CVE-2014-8150: CRLF injection vulnerability in libcurl 6 CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

CVE-2017-9502 [MEDIUM] CWE-119 CVE-2017-9502: In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic th In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FIL

CVE-2016-0754 [MEDIUM] CWE-20 CVE-2016-0754: cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working di cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.

CVE-2025-14819 [MEDIUM] CWE-295 CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_ When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise w

CVE-2025-15079 [MEDIUM] CWE-297 CVE-2025-15079: When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl c When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

CVE-2016-8617 [HIGH] CWE-787 CVE-2016-8617: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.

CVE-2025-14017 [MEDIUM] CVE-2025-14017: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

CVE-2023-46219 [MEDIUM] CWE-311 CVE-2023-46219: When saving HSTS data to an excessively long file name, curl could end up removing all contents, mak When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.