Haxx Org behind the curl project, with curl lead developer Daniel Stenberg

By the Year

In 2026 there have been 10 vulnerabilities in Haxx with an average score of 5.7 out of ten. Last year, in 2025 Haxx had 9 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.33

Recent Haxx Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-3805	Mar 11, 2026	curl SMB UAF: freed memory used on repeated request When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.	Curl
CVE-2026-3784	Mar 11, 2026	CURL: Improper HTTP Proxy Connection Reuse with Different Credentials curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.	Curl
CVE-2026-3783	Mar 11, 2026	curl HTTP Redirect Leaks OAuth2 Bearer Token When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.	Curl
CVE-2026-1965	Mar 11, 2026	libcurl Negotiate Auth Reuse Vulnerability: Wrong Credential Leak libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).	Curl
CVE-2025-15224	Jan 08, 2026	cURL SSH Agent Auth Leakage via SCP/SFTP When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.	Curl
CVE-2025-15079	Jan 08, 2026	cURL libcurl SSH known_hosts bypass via global file When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.	Curl
CVE-2025-14819	Jan 08, 2026	libcurl TLS CA Cache Bypass via CURLSSLOPT_NO_PARTIALCHAIN When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.	Curl
CVE-2025-14524	Jan 08, 2026	curl: OAuth2 Bearer Token Leak via Cross-Protocol Redirect When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.	Curl
CVE-2025-14017	Jan 08, 2026	LDAPS TLS Option Leak in libcurl (CVE-2025-14017) When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.	Curl
CVE-2025-13034	Jan 08, 2026	Curl libcurl: Public-Key Pinning Bypass on QUIC via GnuTLS When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.	Curl