#curl 8.14.1 is out
daniel.haxx.se/blog/2025/06/04…
Thanks to Calvin Ruocco, Dan Fandrich, Daniel Stenberg, denandz on github, Ethan Everett, Jacob Mealey, Jeremy Drake, Jeroen Ooms, John Bampton, Kadambini Nema, Michael Kaufmann, Rasmus Melchior Jacobsen, Ray Satiro, Samuel Henrique, Stefan Eissing, Viktor Szakats, x-xiang on github, Yedaya Katsman, Yuyi Wang, z2_
curl 8.14.1
This is a patch-release done only a week since the previous version with no changes merged only bugfixes. Because some of the regressions in 8.14.0 were a little too annoying to leave unattended for a full cycle.daniel.haxx.se
This entry was edited (2 months ago)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •curl - WebSocket endless loop - CVE-2025-5399
curl.sedaniel:// stenberg://
in reply to daniel:// stenberg:// • • •The hackerone report behind this is also disclosed for full transparency.
hackerone.com/reports/3168039
curl disclosed on HackerOne: CVE-2025-5399: WebSocket endless loop
HackerOnedaniel:// stenberg://
in reply to daniel:// stenberg:// • • •This flaw was deemed "not a C mistake". This problem was introduced independent of language used. A logic mistake.
Now we count 38.9% of all the curl CVEs to be mistakes we could have avoided had we not used C.
Thomas Krog Horne
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Thomas Krog Horne • • •Josh Bressers
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Josh Bressers • • •daniel:// stenberg://
in reply to Josh Bressers • • •Josh Bressers
in reply to daniel:// stenberg:// • • •Lucas Pardue
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Lucas Pardue • • •Lucas Pardue
in reply to daniel:// stenberg:// • • •