Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Releases / curl CVEs

curl CVEs

Related:
Audits
Bug Bounty
Changelog
curl CVEs
Vulnerability Disclosure
Vulnerabilities Table

If you find or simply suspect a security problem in curl or libcurl, please file a detailed report on our hackerone page and tell.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.

Published vulnerabilities

All | Medium+ | High+ | Critical

(The table below has been filtered to show Critical severity)

# S W C Vulnerability Published First Last Awarded
15
C
C
 CVE-2013-0249: SASL buffer overflow 2013-02-06 7.26.0 7.28.1
1
C
C
 CVE-2000-0973: FTP Server Response Buffer Overflow 2000-10-13 6.0 7.4

C mistakes

The flaws listed as "C mistakes" are vulnerabilities that we deem are likely to not have happened should we have used a memory-safe language rather than C. The C mistakes are divided into the following areas: OVERFLOW, OVERREAD, DOUBLE_FREE, USE_AFTER_FREE, NULL_MISTAKE and UNINIT.

Retracted security vulnerabilities

Issues no longer considered curl security problems:

Bogus security vulnerabilities

Issues filed by others that are plain lies:

curl vulnerability data

vuln.csv and vuln.json provide info about all vulnerabilities in machine friendly formats.

Each vulnerability is also provided as a single JSON that you can access at "https://curl.se/docs/$CVE.json" - replace $CVE with the actual curl CVE Id.

The JSON output follows the Open Source Vulnerability format