daniel:// stenberg://

4 days ago

daniel:// stenberg://
4 days ago

Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.

My previous write-up on the rather lame injected problems they found:

daniel.haxx.se/blog/2025/10/22…

AIxCC curl details

At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.

^{daniel.haxx.se}

#curl

in reply to daniel:// stenberg://

Frank Gevaerts

in reply to daniel:// stenberg:// 4 days ago

Spoilsport! How can they have a decent vulnerability finding competition if you don't provide any? :)

in reply to Frank Gevaerts

daniel:// stenberg://

in reply to Frank Gevaerts 4 days ago

@FrankGevaerts we have published one CVE and have two more in the pending queue, that were found after the competition and were present in the code at the time of the competition...

@Frank Gevaerts

in reply to daniel:// stenberg://

Frank Gevaerts

in reply to daniel:// stenberg:// 4 days ago

My apologies. I should have known the curl team are team players!

in reply to daniel:// stenberg://

Graham Lee, D.Phil

in reply to daniel:// stenberg:// 4 days ago

for a realistic scenario they could have used vulnerabilities that were reported and patched after the training cut-off date for the models, and used a source version from before the patches were applied.

in reply to daniel:// stenberg://

Lucy

in reply to daniel:// stenberg:// 4 days ago

Wait, they took the upstream curl code and just injected vulns? Couldn't you, you know, search through the latest commits, diff them and find the closest match to the challenge code, and then look at what was changed?

⇧

daniel:// stenberg://

daniel:// stenberg:// 4 days ago • •

AIxCC curl details

Frank Gevaerts

daniel:// stenberg://

Frank Gevaerts

Graham Lee, D.Phil

Lucy

daniel:// stenberg://
4 days ago