With 20 days left to next #curl release
Stats so far this cycle:
Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)
Search
Items tagged with: curl
We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)
All three found with AI powered tooling.
So it is happening.
On this day six years ago, we learned that mr Robot curls:
daniel.haxx.se/blog/2019/12/10…
Exactly three years later, still this date, we found a #curl sighting in the movie Silk Road:
daniel.haxx.se/blog/2022/12/10…
Mr Robot curls
The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a "curl sighting" in the show and very well I took a closer peek and what do we see some 37 minutes 36 secon…daniel.haxx.se
⭐ ⭐ ⭐ ⭐ ⭐
The #curl repo on GitHub surpassed 40K stars: github.com/curl/curl
⭐ ⭐ ⭐ ⭐ ⭐
GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.
My previous write-up on the rather lame injected problems they found:
daniel.haxx.se/blog/2025/10/22…
AIxCC curl details
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.daniel.haxx.se
Welcome Robert W. Van Kirk as #curl commit author 1425: github.com/curl/curl/pull/1985…
formdata: validate callback is non-NULL before use by bagder · Pull Request #19858 · curl/curl
curl_formget() accepts a user-provided callback function but does not validate it is non-NULL before calling it. If a caller passes NULL, the function will crash with SIGSEGV. Add NULL check at the...GitHub
#curl 8.18.0-rc1 is here => curl.se/rc/
As always, we appreciate if you can take it for a spin and verify that there are no regressions for your use cases.
The pending release notes are here: curl.se/dev/release-notes.html
12 screenshots and one video. On a claimed #curl problem that even in the title says *test suite*
Beware of the strong AI smell on this one.
curl disclosed on HackerOne: Title: Use-After-Free in cURL Test...
**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle** ```c /*************************************************************************** * ...HackerOne
Welcome Georg Schulz-Allgaier as #curl commit author 1424: github.com/curl/curl/pull/1982…
FIX: BUG: IPv6 CIDR notation in NO_PROXY variable or option by GenuaGSchulz · Pull Request #19828 · curl/curl
The Bug We noticed that using IPv6 CIDR-Notation in a NO_PROXY env var doesn't have the desired effect, contrary to what the documentation at https://everything.curl.dev/usingcurl/proxies/env.h...GitHub
A new Hackerone issue was submitted for #curl and I had it closed as not applicable within four minutes. A new personal record I believe.
(It will be disclosed asap.)
Today December 4, at 18:00 CET I will talk tiny #curl. With a bird-themed slide set!
us02web.zoom.us/webinar/regist…
Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Reminder. #curl runs in all your devices. So I made a slide to show some of them.
(yeah, I've used and shown this slide numerous times before and I will probably do it again...)
Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl
ndcsecurity.com/speakers/danie…
NDC Security Oslo 2026
NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.NDC
We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html
If you have opinions on any of those, speak up on the mailing list asap.
I was wondering whether #curl somehow does its own parsing of /etc/hosts, because it does something _very_ weird, and it seems it's c-ares who is guilty
over the weekend we did:
hackerone_count += 2;
Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.
On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…
It will be made available on video after the fact.
tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/
Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Someone invoked #curl on Windows powershell, saw a problem and reported it to us.
Yes. It was the dreaded alias. Again. Not a problem in "the real curl". I tried to get rid of this sorry thing, remember?
daniel.haxx.se/blog/2016/08/19…
Removing the PowerShell curl alias?
PowerShell is a spiced up command line shell made by Microsoft. According to some people, it is a really useful and good shell alternative.daniel.haxx.se
Interesting numbers.
#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.
So, curl doesn’t integrate with libsecret in any way? I assume that since there’s no discussion on the main mailing list of in the GitHub issues for it that I’m somehow being dumb thinking I want it.
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb
I believe I have actually gotten several awards for my work on #curl for at least partly those reasons...
Welcome bttrfl as #curl commit author 1421: github.com/curl/curl/pull/1965…
speedcheck: do not trigger low speed cancelation on transfers paused with CURL_READFUNC_PAUSE by bttrfl · Pull Request #19653 · curl/curl
I have encountered an issue similar to #6358. When pausing an upload, it is not actually excluded from the low speed cancelation. The issue seems to be that the condition in the code only checks if...GitHub
On this day nine years ago, #curl received its first security audit report.
daniel.haxx.se/blog/2016/11/23…
curl security audit
"the overall impression of the state of security and robustness of the cURL library was positive." I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago.daniel.haxx.se
The known risks when using #curl document is now available on the website: curl.se/docs/knownrisks.html
Ah, #curl still in use, I see:
> otool -L ~/.cargo/bin/rustup
...
/usr/lib/libcurl.4.dylib
and cargo itself is:
~/.cargo/bin/cargo -> rustup
We try to keep it all safe to the best of our abilities.😌
In today's edition of #ChatGPT imagines a non-existent #curl feature, much to @bagder 's dismay...
As passed along by my colleague who discovered this, the prompt included: "find a website that is actually hosted on physical infrastructure in Guam"
and ChatGPT suggested one on #Akamai but then suggested using the no-existent --no-cdn flag to skip straight to the origin. Please don't take this as a suggestion to implement such a feature. 🙂
A real Hackerone #curl report title!:
"Out-of-bounds read in *** potential crash. This is sharp, <reporter name>. We've got a real memory safety bug"
The AI is helpfully cheering the guy onwards to slopping. Of course, it is a false positive.
In 2007 I did a talk about #curl at the FSCONS conference. The video is lost in time but today I realized that FSF Europe is still hosting the torrent file.
Not too many seeders of that content left though... 😎
Friends don't let friends disable TLS server verification. (#curl is used, but the check is explicitly disabled by the app)
Welcome boingball as #curl commit author 1420: github.com/curl/curl/pull/1957…
AmigaOS: raise default tool stack size to 32768 bytes by boingball · Pull Request #19578 · curl/curl
This change increases the minimum stack cookie for the AmigaOS build of the curl tool. In testing, the older stack size of 16384 was causing curl to crash on heavy TLS loads These operations are si...GitHub