Daniel Stenberg

10 exploits Active since Jul 2013
CVE-2021-22924 NOMISEC LOW STUB
libcurl 7.10.4-7.76.1 - Connection Reuse via Case-Insensitive Path Matching
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
CVSS 3.7
CVE-2019-17498 WRITEUP HIGH WRITEUP
libssh2 < 1.9.0 - Integer Overflow in SSH_MSG_DISCONNECT Bounds Check
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
CVSS 8.1
CVE-2013-2174 WRITEUP WRITEUP
curl 7.7-7.30.0 - Heap-Based Buffer Overflow via Crafted String Ending in Percent Character
Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.
CVE-2018-0500 WRITEUP CRITICAL WRITEUP
curl 7.54.1-7.60.0 - Heap-Based Buffer Overflow in SMTP Data Transmission
Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).
CVSS 9.8
CVE-2018-16839 WRITEUP MEDIUM WRITEUP
curl 7.33.0-7.61.1 - Denial of Service via SASL Authentication Buffer Overrun
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
CVSS 4.3
CVE-2018-16840 WRITEUP CRITICAL WRITEUP
curl 7.59.0-7.61.1 - Use-After-Free in Easy Handle Cleanup
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
CVSS 9.8
CVE-2018-16842 WRITEUP MEDIUM WRITEUP
curl 7.14.1-7.61.1 - Heap-Based Buffer Over-Read in voutf
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVSS 4.4
CVE-2021-22897 WRITEUP MEDIUM WRITEUP
curl 7.61.0-7.76.1 - Data Element Exposure via CURLOPT_SSL_CIPHER_LIST
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
CVSS 5.3
CVE-2022-40281 WRITEUP HIGH WRITEUP
Samsung TizenRT through 3.0_GBM - Information Disclosure via Missing X509_free in cyassl_connect_step2
An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure.
CVSS 7.5
CVE-2025-0725 WRITEUP HIGH WRITEUP
libcurl <1.2.0.3 - Buffer Overflow
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
CVSS 7.3