Haxx Org behind the curl project, with curl lead developer Daniel Stenberg

By the Year

In 2025 there have been 9 vulnerabilities in Haxx with an average score of 5.7 out of ten. Last year, in 2024 Haxx had 12 security vulnerabilities published. Right now, Haxx is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.19.

Recent Haxx Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-10966	Nov 07, 2025	cURL SSH SFTP Backend Missing Host Verification, MITM Risk curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.	Curl
CVE-2025-10148	Sep 12, 2025	Curl WebSocket Mask Not Updated per Frame, Allowing Cache Poisoning curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.	Curl
CVE-2025-9086	Sep 12, 2025	cURL: Heap Overread via Secure Cookie Path Comparison Bug 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.	Curl
CVE-2025-5399	Jun 07, 2025	libcurl WebSocket busy-loop DoS (CVE-2025-5399) Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.	Curl
CVE-2025-5025	May 28, 2025	libcurl QUIC HTTP/3 Certificate Pinning Bypass with wolfSSL libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.	Curl
CVE-2025-4947	May 28, 2025	libcurl QUIC IP cert bypass allows MITM libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.	Curl
CVE-2025-0167	Feb 05, 2025	curl Leaks Netrc Password to Redirected Host When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.	Curl
CVE-2025-0725	Feb 05, 2025	libcurl Buffer Overflow via old zlib 1.2.0.3 integer overflow (CURLOPT_ACCEPT_ENCODING) When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.	Curl Libcurl
CVE-2025-0665	Feb 05, 2025	libcurl double-close eventfd FD on connection teardown libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.	Curl
CVE-2024-11053	Dec 11, 2024	curl: Authentication Credential Leakage via HTTP Redirects When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.	Curl