daniel:// stenberg://

1 day ago

daniel:// stenberg://
1 day ago

#curl 8.16.0 was just released:

daniel.haxx.se/blog/2025/09/10…

I will live-stream a release presentation at 10:00 CEST on twitch

curl 8.16.0

Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0.

^{daniel.haxx.se}

#curl

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 day ago

CVE-2025-9086: Out of bounds read for cookie path

Severity: Low

curl.se/docs/CVE-2025-9086.htm…

curl - Out of bounds read for cookie path - CVE-2025-9086

^curl.se

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 day ago

CVE-2025-10148: predictable WebSocket mask

Severity: Low

curl.se/docs/CVE-2025-10148.ht…

curl - predictable WebSocket mask - CVE-2025-10148

^curl.se

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 20 hours ago

oops I got the affected version range wrong for CVE-2025-10148, it has now been updated

in reply to daniel:// stenberg://

Poolitzer

in reply to daniel:// stenberg:// 1 day ago

uh a LLM doing a bug fix look at that

in reply to daniel:// stenberg://

Cassandrich

in reply to daniel:// stenberg:// 20 hours ago

Does curl have an option (command line or library interface) to forbid using cleartext protocols even when redirected?

(I.e. make the request fail rather than compromise secrecy, basically same as Firefox https-only mode.)

I thought of it because it would have prevented this from happening and it's probably what most modern users want.

in reply to Cassandrich

daniel:// stenberg://

in reply to Cassandrich 20 hours ago

this is a vulnerability only for users using "ws://" explicitly so such users would presumably override a secure-only filter if there would be one... (which there isn't... yet)

This entry was edited (20 hours ago)

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 20 hours ago

@dalias this vulnerability is mostly theoretical and really only hurts buggy proxies involved in the traffic

@Cassandrich

in reply to daniel:// stenberg://

Cassandrich

in reply to daniel:// stenberg:// 20 hours ago

I was talking about the http cookie OOB read bug, which presumably can be triggered when an attacker redirects you from an https url you intended to fetch to an http url on another site.