Haxx Org behind the curl project, with curl lead developer Daniel Stenberg

By the Year

In 2026 there have been 6 vulnerabilities in Haxx with an average score of 5.2 out of ten. Last year, in 2025 Haxx had 9 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Haxx in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.50

Recent Haxx Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-15224	Jan 08, 2026	cURL SSH Agent Auth Leakage via SCP/SFTP When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.	Curl
CVE-2025-15079	Jan 08, 2026	cURL libcurl SSH known_hosts bypass via global file When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.	Curl
CVE-2025-14819	Jan 08, 2026	libcurl TLS CA Cache Bypass via CURLSSLOPT_NO_PARTIALCHAIN When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.	Curl
CVE-2025-14524	Jan 08, 2026	curl: OAuth2 Bearer Token Leak via Cross-Protocol Redirect When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.	Curl
CVE-2025-14017	Jan 08, 2026	LDAPS TLS Option Leak in libcurl (CVE-2025-14017) When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.	Curl
CVE-2025-13034	Jan 08, 2026	Curl libcurl: Public-Key Pinning Bypass on QUIC via GnuTLS When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.	Curl
CVE-2025-10966	Nov 07, 2025	cURL SSH SFTP Backend Missing Host Verification, MITM Risk curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.	Curl
CVE-2025-10148	Sep 12, 2025	Curl WebSocket Mask Not Updated per Frame, Allowing Cache Poisoning curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.	Curl
CVE-2025-9086	Sep 12, 2025	cURL: Heap Overread via Secure Cookie Path Comparison Bug 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.	Curl
CVE-2025-5399	Jun 07, 2025	libcurl WebSocket busy-loop DoS (CVE-2025-5399) Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.	Curl