Exploit Intelligence Platform

CVE-2025-0665 9.8 CRITICAL EPSS 0.12

libcurl - Use After Free

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CWE-1341 Feb 05, 2025

CVE-2023-38545 9.8 CRITICAL 10 PoCs Analysis EPSS 0.26

curl - Buffer Overflow

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

CWE-787 Oct 18, 2023

CVE-2023-23914 9.1 CRITICAL EPSS 0.00

curl <7.88.0 - Info Disclosure

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

CWE-319 Feb 23, 2023

CVE-2022-32221 9.8 CRITICAL EPSS 0.02

Haxx Curl < 7.86.0 - Information Disclosure

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CWE-200 Dec 05, 2022

CVE-2022-32207 9.8 CRITICAL EPSS 0.00

curl <7.84.0 - Info Disclosure

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

CWE-840 Jul 07, 2022

CVE-2021-22945 9.1 CRITICAL EPSS 0.00

libcurl <= 7.73.0, 7.78.0 - Use After Free

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

CWE-415 Sep 23, 2021

CVE-2016-4606 9.8 CRITICAL EPSS 0.00

Curl <7.49.1 - RCE/XSS/DoS/Bypass

Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.

Feb 21, 2020

CVE-2019-5482 9.8 CRITICAL EPSS 0.08

Haxx Curl < 7.65.3 - Out-of-Bounds Write

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

CWE-122 Sep 16, 2019

CVE-2019-5481 9.8 CRITICAL EPSS 0.05

Haxx Curl < 7.65.3 - Double Free

Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.

CWE-415 Sep 16, 2019

CVE-2019-3822 9.8 CRITICAL EPSS 0.28

Haxx Libcurl < 7.64.0 - Out-of-Bounds Write

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

CWE-121 Feb 06, 2019

CVE-2018-16840 9.8 CRITICAL 1 Writeup EPSS 0.00

curl <7.61.1 - Use After Free

A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

CWE-416 Oct 31, 2018

CVE-2018-0500 9.8 CRITICAL 1 Writeup EPSS 0.01

Haxx Curl < 7.60.0 - Out-of-Bounds Write

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).

CWE-787 Jul 11, 2018

CVE-2018-1000301 9.1 CRITICAL EPSS 0.03

curl <7.59.0 - Buffer Over-read

curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.

CWE-125 May 24, 2018

CVE-2018-1000300 9.8 CRITICAL EPSS 0.01

curl <7.59.0 - Buffer Overflow

curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.

CWE-787 May 24, 2018

CVE-2018-1000122 9.1 CRITICAL EPSS 0.02

curl <7.59 - Buffer Overflow

A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage

CWE-125 Mar 14, 2018

CVE-2018-1000120 9.8 CRITICAL EPSS 0.02

curl <7.58.0 - Buffer Overflow

A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.

CWE-787 Mar 14, 2018

CVE-2016-9953 9.8 CRITICAL EPSS 0.02

Haxx Curl < 7.51.0 - Out-of-Bounds Read

The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.

CWE-125 Mar 12, 2018

CVE-2017-2628 9.8 CRITICAL EPSS 0.01

Haxx Curl - Authentication Bypass

curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

CWE-287 Mar 12, 2018

CVE-2018-1000007 9.8 CRITICAL EPSS 0.04

libcurl <7.57.0 - Info Disclosure

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Jan 24, 2018

CVE-2018-1000005 9.1 CRITICAL EPSS 0.00

Haxx Libcurl < 7.57.0 - Out-of-Bounds Read

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

CWE-125 Jan 24, 2018

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps