Haxx Curl
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Haxx Curl.
By the Year
In 2026 there have been 36 vulnerabilities in Haxx Curl with an average score of 5.9 out of ten. Last year, in 2025 Curl had 9 security vulnerabilities published. That is, 27 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.13
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 36 | 5.90 |
| 2025 | 9 | 6.03 |
| 2024 | 9 | 5.23 |
| 2023 | 16 | 7.09 |
| 2022 | 20 | 6.88 |
| 2021 | 9 | 6.06 |
| 2020 | 3 | 5.75 |
| 2019 | 4 | 7.78 |
| 2018 | 17 | 8.94 |
It may take a day or so for new Curl vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Haxx Curl Security Vulnerabilities
libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTION
CVE-2026-9547
- July 03, 2026
When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
libcurl : Referer Header Persists After NULL Clearing (CVE-2026-9546)
CVE-2026-9546
- July 03, 2026
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
libcurl HTTP/3 session resumption EarlyData info leak
CVE-2026-9545
- July 03, 2026
In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
libcurl UAF via curl_easy_pause() in SOCKETFUNCTION
CVE-2026-9080
- July 03, 2026
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentials
CVE-2026-9079
- July 03, 2026
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
libcurl mTLS cert mismatch causes insecure connection reuse
CVE-2026-8932
- July 03, 2026
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
libcurl: Proxy Auth Leakage on Reused Handles
CVE-2026-8927
- July 03, 2026
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
curl Credential Inference via .netrc/Username Mismatch
CVE-2026-8926
- July 03, 2026
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
cURL doublefree via GSASL context cleanup bug
CVE-2026-8925
- July 03, 2026
The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.
Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSL
CVE-2026-8924
- July 03, 2026
A flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
libcurl Negotiate Authentication Connection Reuse Flaw
CVE-2026-8458
- July 03, 2026
libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
CURL STARTTLS Connection Reuse with TLS Mismatch
CVE-2026-8286
- July 03, 2026
A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
cURL SSH Host Verification Bypass via Schemaless URL & --proto-default
CVE-2026-12064
- July 03, 2026
When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
libcurl Header Leak: Digest Auth Reused Across Origins
CVE-2026-11856
- July 03, 2026
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
curl Unbounded WebSocket PING Memory Exhaustion
CVE-2026-11586
- July 03, 2026
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
libcurl CA Trust Leakage via Persistent Connection Pool
CVE-2026-11564
- July 03, 2026
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse
CVE-2026-11352
- July 03, 2026
An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
Use-After-Free in libcurl during cleanup after stream-dependency reset
CVE-2026-10536
- July 03, 2026
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
libcurl Proxy Digest Auth Header Leak on Handle Reuse
CVE-2026-7168
5.3 - Medium
- May 13, 2026
Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.
curl: Improper OCSP Stapling Validation Leads to False Trust (CVE-2026-7009)
CVE-2026-7009
5.3 - Medium
- May 13, 2026
When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
CURL libcurl HTTP Redirect Password Leak via .netrc
CVE-2026-6429
5.3 - Medium
- May 13, 2026
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
Stale Host Header Causes Cookie Leakage in libcurl
CVE-2026-6276
7.5 - High
- May 13, 2026
Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
Curl Credential Leak via Proxy Chain Redirect
CVE-2026-6253
5.9 - Medium
- May 13, 2026
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
libcurl SMB Connection Reuse flaw leads to wrong file transfer
CVE-2026-5773
7.5 - High
- May 13, 2026
libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.
libcurl Auth Credential Leak via Connection Reuse
CVE-2026-5545
6.5 - Medium
- May 13, 2026
libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...
curl TLS Reuse Vulnerability: Cleartext Leak
CVE-2026-4873
5.9 - Medium
- May 13, 2026
A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.
Cleartext Transmission of Sensitive Information
curl SMB UAF: freed memory used on repeated request
CVE-2026-3805
7.5 - High
- March 11, 2026
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
Dangling pointer
CURL: Improper HTTP Proxy Connection Reuse with Different Credentials
CVE-2026-3784
6.5 - Medium
- March 11, 2026
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
Authentication Bypass by Primary Weakness
curl HTTP Redirect Leaks OAuth2 Bearer Token
CVE-2026-3783
5.3 - Medium
- March 11, 2026
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
Insufficiently Protected Credentials
libcurl Negotiate Auth Reuse Vulnerability: Wrong Credential Leak
CVE-2026-1965
6.5 - Medium
- March 11, 2026
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
Authentication Bypass by Primary Weakness
cURL SSH Agent Auth Leakage via SCP/SFTP
CVE-2025-15224
3.1 - Low
- January 08, 2026
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
authentification
cURL libcurl SSH known_hosts bypass via global file
CVE-2025-15079
5.3 - Medium
- January 08, 2026
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
Improper Validation of Certificate with Host Mismatch
libcurl TLS CA Cache Bypass via CURLSSLOPT_NO_PARTIALCHAIN
CVE-2025-14819
5.3 - Medium
- January 08, 2026
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
Improper Certificate Validation
curl: OAuth2 Bearer Token Leak via Cross-Protocol Redirect
CVE-2025-14524
5.3 - Medium
- January 08, 2026
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
LDAPS TLS Option Leak in libcurl (CVE-2025-14017)
CVE-2025-14017
6.3 - Medium
- January 08, 2026
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
Curl libcurl: Public-Key Pinning Bypass on QUIC via GnuTLS
CVE-2025-13034
5.9 - Medium
- January 08, 2026
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
Improper Certificate Validation
cURL SSH SFTP Backend Missing Host Verification, MITM Risk
CVE-2025-10966
4.3 - Medium
- November 07, 2025
curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.
Curl WebSocket Mask Not Updated per Frame, Allowing Cache Poisoning
CVE-2025-10148
5.3 - Medium
- September 12, 2025
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
cURL: Heap Overread via Secure Cookie Path Comparison Bug
CVE-2025-9086
7.5 - High
- September 12, 2025
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
libcurl WebSocket busy-loop DoS (CVE-2025-5399)
CVE-2025-5399
- June 07, 2025
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application.
Infinite Loop
libcurl QUIC IP cert bypass allows MITM
CVE-2025-4947
- May 28, 2025
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Improper Certificate Validation
libcurl QUIC HTTP/3 Certificate Pinning Bypass with wolfSSL
CVE-2025-5025
- May 28, 2025
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.
Improper Certificate Validation
libcurl Buffer Overflow via old zlib 1.2.0.3 integer overflow (CURLOPT_ACCEPT_ENCODING)
CVE-2025-0725
- February 05, 2025
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
Classic Buffer Overflow
libcurl double-close eventfd FD on connection teardown
CVE-2025-0665
7 - High
- February 05, 2025
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
curl Leaks Netrc Password to Redirected Host
CVE-2025-0167
- February 05, 2025
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
curl: Authentication Credential Leakage via HTTP Redirects
CVE-2024-11053
3.4 - Low
- December 11, 2024
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
curl HSTS Subdomain Cache Bleed
CVE-2024-9681
5.9 - Medium
- November 06, 2024
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.
curl OCSP Stapling fails to reject nonrevoked error statuses
CVE-2024-8096
- September 11, 2024
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.
libcurl ASN1 Parser Heap Overflow via Invalid Generalized Time
CVE-2024-7264
6.3 - Medium
- July 31, 2024
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
libcurl Bypass TLS Cert Check for IP Address with mbedTLS
CVE-2024-2466
- March 27, 2024
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).