| Bug | Description |
|---|
| CVE-2024-7264 | libcurl's ASN1 parser code has the `GTime2str()` function, used for pa ... |
| CVE-2024-6874 | libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/ ... |
| CVE-2024-6197 | libcurl's ASN1 parser has this utf8asn1str() function used for parsing ... |
| CVE-2024-2466 | libcurl did not check the server certificate of TLS connections done t ... |
| CVE-2024-2004 | When a protocol selection parameter option disables all protocols with ... |
| CVE-2024-0853 | curl inadvertently kept the SSL session ID for connections in its cach ... |
| CVE-2023-46218 | This flaw allows a malicious HTTP server to set "super cookies" in cur ... |
| CVE-2023-38546 | This flaw allows an attacker to insert cookies at will into a running ... |
| CVE-2023-38545 | This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy ... |
| CVE-2023-38039 | When curl retrieves an HTTP response, it stores the incoming headers s ... |
| CVE-2023-32001 | |
| CVE-2023-28319 | A use after free vulnerability exists in curl <v8.1.0 in the way libcu ... |
| CVE-2023-27538 | An authentication bypass vulnerability exists in libcurl prior to v8.0 ... |
| CVE-2023-27537 | A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS ... |
| CVE-2023-27536 | An authentication bypass vulnerability exists libcurl <8.0.0 in the co ... |
| CVE-2023-27535 | An authentication bypass vulnerability exists in libcurl <8.0.0 in the ... |
| CVE-2023-27533 | A vulnerability in input validation exists in curl <8.0 during communi ... |
| CVE-2023-23916 | An allocation of resources without limits or throttling vulnerability ... |
| CVE-2022-43552 | A use after free vulnerability exists in curl <7.87.0. Curl can be ask ... |
| CVE-2022-42915 | curl before 7.86.0 has a double free. If curl is told to use an HTTP p ... |
| CVE-2022-35260 | curl can be told to parse a `.netrc` file for credentials. If that fil ... |
| CVE-2022-35252 | When curl is used to retrieve and parse cookies from a HTTP(S) server, ... |
| CVE-2022-32221 | When doing HTTP(S) transfers, libcurl might erroneously use the read c ... |
| CVE-2022-32208 | When curl < 7.84.0 does FTP transfers secured by krb5, it handles mess ... |
| CVE-2022-32207 | When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files ... |
| CVE-2022-32206 | curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning ... |
| CVE-2022-32205 | A malicious server can serve excessive amounts of `Set-Cookie:` header ... |
| CVE-2022-30115 | Using its HSTS support, curl can be instructed to use HTTPS directly i ... |
| CVE-2022-27782 | libcurl would reuse a previously created connection even when a TLS or ... |
| CVE-2022-27781 | libcurl provides the `CURLOPT_CERTINFO` option to allow applications t ... |
| CVE-2022-27780 | The curl URL parser wrongly accepts percent-encoded URL separators lik ... |
| CVE-2022-27779 | libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) ... |
| CVE-2022-27778 | A use of incorrectly resolved name vulnerability fixed in 7.83.1 might ... |
| CVE-2022-27776 | A insufficiently protected credentials vulnerability in fixed in curl ... |
| CVE-2022-27775 | An information disclosure vulnerability exists in curl 7.65.0 to 7.82. ... |
| CVE-2022-27774 | An insufficiently protected credentials vulnerability exists in curl 4 ... |
| CVE-2022-22576 | An improper authentication vulnerability exists in curl 7.33.0 to and ... |
| CVE-2021-22947 | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server t ... |
| CVE-2021-22946 | A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful u ... |
| CVE-2021-22945 | When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 coul ... |
| CVE-2021-22925 | curl supports the `-t` command line option, known as `CURLOPT_TELNETOP ... |
| CVE-2021-22924 | libcurl keeps previously used connections in a connection pool for sub ... |
| CVE-2021-22901 | curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability ... |
| CVE-2021-22898 | curl 7.7 through 7.76.1 suffers from an information disclosure when th ... |
| CVE-2021-22897 | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wr ... |
| CVE-2021-22890 | curl 7.63.0 to and including 7.75.0 includes vulnerability that allows ... |
| CVE-2021-22876 | curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Pr ... |
| CVE-2020-8286 | curl 7.41.0 through 7.73.0 is vulnerable to an improper check for cert ... |
| CVE-2020-8285 | curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recu ... |
| CVE-2020-8284 | A malicious server can use the FTP PASV response to trick curl 7.73.0 ... |
| CVE-2020-8231 | Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can us ... |
| CVE-2020-8177 | curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of na ... |
| CVE-2020-8169 | curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure ... |
| CVE-2019-5482 | Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7. ... |
| CVE-2019-5481 | Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7 ... |
| CVE-2019-5443 | A non-privileged user or program can put code and a config file in a k ... |
| CVE-2019-5436 | A heap buffer overflow in the TFTP receiving code allows for DoS or ar ... |
| CVE-2019-5435 | An integer overflow in curl's URL API results in a buffer overflow in ... |
| CVE-2019-3823 | libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap ... |
| CVE-2019-3822 | libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stac ... |
| CVE-2018-1000301 | curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-1 ... |
| CVE-2018-1000300 | curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-1 ... |
| CVE-2018-1000122 | A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 ... |
| CVE-2018-1000121 | A NULL pointer dereference exists in curl 7.21.0 to and including curl ... |
| CVE-2018-1000120 | A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 i ... |
| CVE-2018-1000007 | libcurl 7.1 through 7.57.0 might accidentally leak authentication data ... |
| CVE-2018-1000005 | libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ... |
| CVE-2018-16890 | libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap ... |
| CVE-2018-16842 | Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buf ... |
| CVE-2018-16840 | A heap use-after-free flaw was found in curl versions from 7.59.0 thro ... |
| CVE-2018-16839 | Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun ... |
| CVE-2018-14618 | curl before version 7.61.1 is vulnerable to a buffer overrun in the NT ... |
| CVE-2018-0500 | Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including cur ... |
| CVE-2017-1000257 | An IMAP FETCH response line indicates the size of the returned data, i ... |
| CVE-2017-1000254 | libcurl may read outside of a heap allocated buffer when doing FTP. Wh ... |
| CVE-2017-1000101 | curl supports "globbing" of URLs, in which a user can pass a numerical ... |
| CVE-2017-1000100 | When doing a TFTP transfer and curl/libcurl is given a URL that contai ... |
| CVE-2017-1000099 | When asking to get a file from a file:// URL, libcurl provides a featu ... |
| CVE-2017-9502 | In curl before 7.54.1 on Windows and DOS, libcurl's default protocol f ... |
| CVE-2017-8818 | curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ... |
| CVE-2017-8817 | The FTP wildcard function in curl and libcurl before 7.57.0 allows rem ... |
| CVE-2017-8816 | The NTLM authentication feature in curl and libcurl before 7.57.0 on 3 ... |
| CVE-2017-7468 | In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would atte ... |
| CVE-2017-2629 | curl before 7.53.0 has an incorrect TLS Certificate Status Request ext ... |
| CVE-2017-2628 | curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-5 ... |
| CVE-2016-9953 | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ... |
| CVE-2016-9952 | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ... |
| CVE-2016-9594 | curl before version 7.52.1 is vulnerable to an uninitialized random in ... |
| CVE-2016-9586 | curl before version 7.52.0 is vulnerable to a buffer overflow when doi ... |
| CVE-2016-8624 | curl before version 7.51.0 doesn't parse the authority component of th ... |
| CVE-2016-8623 | A flaw was found in curl before version 7.51.0. The way curl handles c ... |
| CVE-2016-8622 | The URL percent-encoding decode function in libcurl before 7.51.0 is c ... |
| CVE-2016-8621 | The `curl_getdate` function in curl before version 7.51.0 is vulnerabl ... |
| CVE-2016-8620 | The 'globbing' feature in curl before version 7.51.0 has a flaw that l ... |
| CVE-2016-8619 | The function `read_data()` in security.c in curl before version 7.51.0 ... |
| CVE-2016-8618 | The libcurl API function called `curl_maprintf()` before version 7.51. ... |
| CVE-2016-8617 | The base64 encode function in curl before version 7.51.0 is prone to a ... |
| CVE-2016-8616 | A flaw was found in curl before version 7.51.0 When re-using a connect ... |
| CVE-2016-8615 | A flaw was found in curl before version 7.51. If cookie state is writt ... |
| CVE-2016-7167 | Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escap ... |
| CVE-2016-7141 | curl and libcurl before 7.50.2, when built with NSS and the libnsspem. ... |
| CVE-2016-5421 | Use-after-free vulnerability in libcurl before 7.50.1 allows attackers ... |
| CVE-2016-5420 | curl and libcurl before 7.50.1 do not check the client certificate whe ... |
| CVE-2016-5419 | curl and libcurl before 7.50.1 do not prevent TLS session resumption w ... |
| CVE-2016-4802 | Multiple untrusted search path vulnerabilities in cURL and libcurl bef ... |
| CVE-2016-4606 | Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 al ... |
| CVE-2016-0755 | The ConnectionExists function in lib/url.c in libcurl before 7.47.0 do ... |
| CVE-2016-0754 | cURL before 7.47.0 on Windows allows attackers to write to arbitrary f ... |
| CVE-2015-3237 | The smb_request_state function in cURL and libcurl 7.40.0 through 7.42 ... |
| CVE-2015-3236 | cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authenticat ... |
| CVE-2015-3153 | The default configuration for cURL and libcurl before 7.42.1 sends cus ... |
| CVE-2015-3148 | cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenti ... |
| CVE-2015-3145 | The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7 ... |
| CVE-2015-3144 | The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 do ... |
| CVE-2015-3143 | cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM c ... |
| CVE-2014-8151 | The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in l ... |
| CVE-2014-8150 | CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, ... |
| CVE-2014-3707 | The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, whe ... |
| CVE-2014-3620 | cURL and libcurl before 7.38.0 allow remote attackers to bypass the Sa ... |
| CVE-2014-3613 | cURL and libcurl before 7.38.0 does not properly handle IP addresses i ... |
| CVE-2014-2522 | curl and libcurl 7.27.0 through 7.35.0, when running on Windows and us ... |
| CVE-2014-1263 | curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport ... |
| CVE-2014-0139 | cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qso ... |
| CVE-2014-0138 | The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re- ... |
| CVE-2014-0015 | cURL and libcurl 7.10.6 through 7.34.0, when more than one authenticat ... |
| CVE-2013-6422 | The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling di ... |
| CVE-2013-4545 | cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disab ... |
| CVE-2013-2174 | Heap-based buffer overflow in the curl_easy_unescape function in lib/e ... |
| CVE-2013-1944 | The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 d ... |
| CVE-2013-0249 | Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message ... |
| CVE-2012-0036 | curl and libcurl 7.2x before 7.24.0 do not properly consider special c ... |
| CVE-2011-3389 | The SSL protocol, as used in certain configurations in Microsoft Windo ... |
| CVE-2011-2192 | The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10. ... |
| CVE-2010-3842 | Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, w ... |
| CVE-2010-0734 | content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enab ... |
| CVE-2009-2417 | lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is u ... |
| CVE-2009-0037 | The redirect implementation in curl and libcurl 5.11 through 7.19.3, w ... |
| CVE-2007-3564 | libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does no ... |
| CVE-2006-1061 | Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 a ... |
| CVE-2005-4077 | Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 throug ... |
| CVE-2005-3185 | Stack-based buffer overflow in the ntlm_output function in http-ntlm.c ... |
| CVE-2005-0490 | Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and ... |
| CVE-2003-1605 | curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote s ... |