Haxx Curl vulnerabilities

CVE-2025-14524 [MEDIUM] CWE-601 CVE-2025-14524: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-prot When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

CVE-2011-2192 [MEDIUM] CVE-2011-2192: The Curl_input_negotiate function in http_negotiate The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.

CVE-2026-7009 [MEDIUM] CWE-295 CVE-2026-7009: When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP st When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

CVE-2014-3707 [MEDIUM] CVE-2014-3707: The curl_easy_duphandle function in libcurl 7 The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.

CVE-2014-0015 [MEDIUM] CWE-287 CVE-2014-0015: cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

CVE-2013-4545 [MEDIUM] CWE-310 CVE-2013-4545: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2025-11563 [MEDIUM] CVE-2025-11563: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user exp URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVE-2024-6874 [MEDIUM] CVE-2024-6874: libcurl's URL API function [curl_url_get()](https://curl libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw

CVE-2025-10966 [MEDIUM] CVE-2025-10966: curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was fl curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.

CVE-2024-0853 [MEDIUM] CWE-295 CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2014-2522 [MEDIUM] CWE-20 CVE-2014-2522: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS ba curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to sp

CVE-2025-5025 [MEDIUM] CWE-295 CVE-2025-5025: libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omiss libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed i

CVE-2022-30115 [MEDIUM] CWE-325 CVE-2022-30115: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure cle Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the

CVE-2018-16980 [MEDIUM] CVE-2018-16980: dotCMS V5 dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.

CVE-2021-22924 [LOW] CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connectio

CVE-2023-38546 [LOW] CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en

CVE-2020-8284 [LOW] CWE-200 CVE-2020-8284: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting ba A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVE-2019-5435 [LOW] CWE-131 CVE-2019-5435: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and includin An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.

CVE-2021-22898 [LOW] CWE-200 CVE-2021-22898: curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, kn curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the se

CVE-2013-6422 [MEDIUM] CVE-2013-6422: The GnuTLS backend in libcurl 7 The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.