Top reports from curl program at HackerOne:
- CVE-2021-22901: TLS session caching disaster to curl - 72 upvotes, $2000
- CVE-2020-8177: curl overwrite local file with -J to curl - 52 upvotes, $700
- CVE-2023-38545: socks5 heap buffer overflow to curl - 52 upvotes, $0
- CVE-2024-7264: ASN.1 date parser overread to curl - 52 upvotes, $0
- CVE-2020-8286: Inferior OCSP verification to curl - 49 upvotes, $0
- Buffer Overflow Vulnerability in WebSocket Handling to curl - 35 upvotes, $0
- CVE-2024-8096: OCSP stapling bypass with GnuTLS to curl - 34 upvotes, $0
- CVE-2024-2004: Usage of disabled protocol to curl - 32 upvotes, $0
- CVE-2020-8284: trusting FTP PASV responses to curl - 30 upvotes, $0
- cookie is sent on redirect to curl - 30 upvotes, $0
- CVE-2024-6197: freeing stack buffer in utf8asn1str to curl - 29 upvotes, $0
- CVE-2023-32001: fopen race condition to curl - 26 upvotes, $0
- CVE-2023-46218: cookie mixed case PSL bypass to curl - 26 upvotes, $0
- CVE-2023-46219: HSTS long file name clears contents to curl - 26 upvotes, $0
- NULL dereference when encoding DN of x509 certificate to curl - 26 upvotes, $0
- CVE-2024-6874: macidn punycode buffer overread to curl - 24 upvotes, $0
- CVE-2019-5443: Windows Privilege Escalation: Malicious OpenSSL Engine to curl - 23 upvotes, $200
- CVE-2019-5435: An integer overflow found in /lib/urlapi.c to curl - 23 upvotes, $0
- CVE-2024-0853: OCSP verification bypass with TLS session reuse to curl - 22 upvotes, $0
- CVE-2020-8169: Partial password leak over DNS on HTTP redirect to curl - 21 upvotes, $0
- Buffer overflow and affected url:-https://github.com/curl/curl/blob/master/docs/examples/hsts-preload.c to curl - 21 upvotes, $0
- CVE-2023-28319: UAF in SSH sha256 fingerprint check to curl - 20 upvotes, $0
- HTTP/2 PUSH_PROMISE DoS to curl - 20 upvotes, $0
- CVE-2022-27776: Auth/cookie leak on redirect to curl - 19 upvotes, $0
- Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below
curl
results in indeterminate SSRF vulnerabilities. to curl - 19 upvotes, $0 - CVE-2024-2466: TLS certificate check bypass with mbedTLS to curl - 17 upvotes, $0
- CVE-2023-23916: HTTP multi-header compression denial of service to curl - 16 upvotes, $0
- CVE-2019-5436: Heap Buffer Overflow at lib/tftp.c to curl - 14 upvotes, $200
- CVE-2021-22945: UAF and double-free in MQTT sending to curl - 14 upvotes, $0
- CVE-2022-35252: control code in cookie denial of service to curl - 13 upvotes, $0
- CVE-2022-43552: HTTP Proxy deny use-after-free to curl - 12 upvotes, $0
- CVE-2023-27537: HSTS double-free to curl - 12 upvotes, $0
- CVE-2024-2398: HTTP/2 push headers memory-leak to curl - 12 upvotes, $0
- CVE-2020-8231: Connect-only connections can use the wrong connection to curl - 11 upvotes, $0
- CVE-2019-5482: Heap buffer overflow in TFTP when using small blksize to curl - 11 upvotes, $0
- CVE-2024-2379: QUIC certificate check bypass with wolfSSL to curl - 11 upvotes, $0
- CVE-2021-22897: schannel cipher selection surprise to curl - 10 upvotes, $800
- SMB access smuggling via FILE URL on Windows to curl - 9 upvotes, $400
- CVE-2021-22946: Protocol downgrade required TLS bypassed to curl - 9 upvotes, $0
- CVE-2022-27778: curl removes wrong file on error to curl - 8 upvotes, $0
- Unicode-to-ASCII conversion on Windows can lead to argument injection and more to curl - 8 upvotes, $0
- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup to curl - 7 upvotes, $0
- CVE-2021-22947: STARTTLS protocol injection via MITM to curl - 7 upvotes, $0
- CVE-2022-27774: Credential leak on redirect to curl - 7 upvotes, $0
- CVE-2022-27780: percent-encoded path separator in URL host to curl - 7 upvotes, $0
- CVE-2022-32208: FTP-KRB bad message verification to curl - 7 upvotes, $0
- CVE-2022-43551: Another HSTS bypass via IDN to curl - 7 upvotes, $0
- CVE-2023-23915: HSTS amnesia with --parallel to curl - 7 upvotes, $0
- CVE-2021-22898: TELNET stack contents disclosure to curl - 6 upvotes, $1000
- Github wikis are editable by anyone #Githubwikistakeover to curl - 6 upvotes, $0
- CVE-2019-5481: krb5: double-free in read_data() after realloc() fail to curl - 6 upvotes, $0
- --libcurl code injection via trigraphs to curl - 6 upvotes, $0
- CVE-2022-42915: HTTP proxy double-free to curl - 6 upvotes, $0
- CVE-2023-23914: curl HSTS ignored on multiple requests to curl - 6 upvotes, $0
- Cache purge requests are not authenticated to curl - 6 upvotes, $0
- Denial of Service in curl Request - HTTP headers eat all memory to curl - 6 upvotes, $0
- Incorrect Encoding Conversion in hostname results in indeterminate SSRF vulnerabilities to curl - 6 upvotes, $0
- CVE-2021-22876: Automatic referer leaks credentials to curl - 5 upvotes, $0
- Remote memory disclosure vulnerability in libcurl on 64 Bit Windows to curl - 5 upvotes, $0
- CVE-2022-22576: OAUTH2 bearer bypass in connection re-use to curl - 5 upvotes, $0
- CVE-2022-30115: HSTS bypass via trailing dot to curl - 5 upvotes, $0
- Credential leak on redirect to curl - 5 upvotes, $0
- CVE-2022-35260: .netrc parser out-of-bounds access to curl - 5 upvotes, $0
- curl file writing susceptible to symlink attacks to curl - 5 upvotes, $0
- CVE-2021-22924: Bad connection reuse due to flawed path name checks to curl - 4 upvotes, $1200
- Signed integer overflow in tool_progress_cb() to curl - 4 upvotes, $0
- Active Mixed Content over HTTPS to curl - 4 upvotes, $0
- Invalid write (or double free) triggers curl command line tool crash to curl - 4 upvotes, $0
- Integer overflows in tool_operate.c at line 1541 to curl - 4 upvotes, $0
- SSRF via maliciously crafted URL due to host confusion to curl - 4 upvotes, $0
- CVE-2022-27775: Bad local IPv6 connection reuse to curl - 4 upvotes, $0
- CVE-2022-27779: cookie for trailing dot TLD to curl - 4 upvotes, $0
- CVE-2022-27782: TLS and SSH connection too eager reuse to curl - 4 upvotes, $0
- Memory leak in CURLOPT_XOAUTH2_BEARER to curl - 4 upvotes, $0
- CVE-2022-27781: CERTINFO never-ending busy-loop to curl - 4 upvotes, $0
- CVE-2022-32206: HTTP compression denial of service to curl - 4 upvotes, $0
- CVE-2022-32205: Set-Cookie denial of service to curl - 4 upvotes, $0
- CVE-2023-28320: siglongjmp race condition to curl - 4 upvotes, $0
- CVE-2021-22922: Wrong content via metalink not discarded to curl - 3 upvotes, $700
- CVE-2021-22923: Metalink download sends credentials to curl - 3 upvotes, $700
- curl overwrites local file with -J option if file non-readable, but file writable. to curl - 3 upvotes, $0
- Poll loop/hang on incomplete HTTP header to curl - 3 upvotes, $0
- Integer overflow in the source code tool_cb_prg.c to curl - 3 upvotes, $0
- CVE-2021-22925: TELNET stack contents disclosure again to curl - 3 upvotes, $0
- Denial of Service vulnerability in curl when parsing MQTT server response to curl - 3 upvotes, $0
- CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars to curl - 3 upvotes, $0
- error parse uri path in curl to curl - 3 upvotes, $0
- Credential leak when use two url to curl - 3 upvotes, $0
- CVE-2022-32207: Unpreserved file permissions to curl - 3 upvotes, $0
- CVE-2022-32221: POST following PUT confusion to curl - 3 upvotes, $0
- libssh backend CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 validation bypass to curl - 3 upvotes, $0
- CVE-2023-27533: Telnet option IAC injection to curl - 3 upvotes, $0
- CVE-2023-27534: SFTP path ~ resolving discrepancy to curl - 3 upvotes, $0
- CVE-2023-27535: FTP too eager connection reuse to curl - 3 upvotes, $0
- CVE-2023-27536: GSS delegation too eager connection re-use to curl - 3 upvotes, $0
- CVE-2023-27538: SSH connection too eager reuse still to curl - 3 upvotes, $0
- CVE-2023-28322: more POST-after-PUT confusion to curl - 3 upvotes, $0
- CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport to curl - 2 upvotes, $1000
- CVE-2020-8285: FTP wildcard stack overflow to curl - 2 upvotes, $0
- Abusing URL Parsers by long schema name to curl - 2 upvotes, $0
- Heap Buffer Overflow (READ of size 1) in ourWriteOut to curl - 2 upvotes, $0
- Libcurl ocasionally sends HTTPS traffic to port 443 rather than specified port 8080 to curl - 2 upvotes, $0
- Integer overlow in "header_append" function to curl - 2 upvotes, $0
- curl on Windows can be forced to execute code via OpenSSL environment variables to curl - 2 upvotes, $0
- Binary output bypass to curl - 2 upvotes, $0
- CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster to curl - 2 upvotes, $0
- Cookie injection from non-secure context to curl - 2 upvotes, $0
- Heap overflow via HTTP/2 PUSH_PROMISE to curl - 2 upvotes, $0
- CVE-2022-42916: HSTS bypass via IDN to curl - 2 upvotes, $0
- CVE-2023-28321: IDN wildcard match to curl - 2 upvotes, $0
- Insecure Frame (External) to curl - 1 upvotes, $0
- Parallel upload hangs curl if upload file not found to curl - 1 upvotes, $0
- libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823 to curl - 1 upvotes, $0
- Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time to curl - 1 upvotes, $0
- Division by zero if terminal width is 2 to curl - 1 upvotes, $0
- Unexpected access to process open files via file:///proc/self/fd/n to curl - 1 upvotes, $0
- use after free in cookie.c to curl - 1 upvotes, $0
- Potential invocation of qsort on uninitialized memory during cookie save to curl - 1 upvotes, $0
- Resource leak when using a normal site as DOH server to curl - 1 upvotes, $0
- Buffer write overflow when forming dns over http request to curl - 1 upvotes, $0
- Integer overflow at line 1603 in the src/operator.c file to curl - 1 upvotes, $0
- huge COLUMNS causes progress-bar to buffer overflow to curl - 1 upvotes, $0
- Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c to curl - 1 upvotes, $0
- Proxy-Authorization header carried to a new host on a redirect to curl - 1 upvotes, $0
- Occasional use-after-free in multi_done() libcurl-7.81.0 to curl - 1 upvotes, $0
- Use of Unsafe function || Strcpy to curl - 1 upvotes, $0
- curl proceeds with unsafe connections when -K file can't be read to curl - 1 upvotes, $0
- Certificate authentication re-use on redirect to curl - 1 upvotes, $0
- KRB-FTP: Security level downgrade to curl - 1 upvotes, $0
- curl "globbing" can lead to denial of service attacks to curl - 1 upvotes, $0
- Port and service scanning on localhost due to improper URL validation. to curl - 0 upvotes, $0
- Data race conditions reported by helgrind when performing parallel DNS queries in libcurl to curl - 0 upvotes, $0
- Only OpenSSL handles a CRL when passed in via CApath to curl - 0 upvotes, $0
- curl successfully matches IP address literal in URL against IP address literal in certificate Common Name to curl - 0 upvotes, $0
- Curl_auth_create_plain_message integer overflow leads to heap buffer overflow to curl - 0 upvotes, $0
- curl still vulnerable to SMB access smuggling via FILE URL on Windows to curl - 0 upvotes, $0
- Incorrect IPv6 literal parsing leads to validated connection to unexpected https server. to curl - 0 upvotes, $0
- Double-free of
trailers_buf' on
Curl_http_compile_trailers()` failure to curl - 0 upvotes, $0 - match to curl - 0 upvotes, $0
- Integer overflows in unescape_word() to curl - 0 upvotes, $0