I added a sentence to the #curl hackerone submission page:

"Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of lines that will exhaust us to death instead of making us understand your claim."

*Twelve* Hackerone submissions against #curl within the last seven days.

Zero of them turned out a confirmed vulnerability.

Several of them found, reported, phrased-in-far-too-many-words and mislead by stupid word completion machines.

If your company needs #curl support for OpenSSL 1.1 in 2026, just say so and we can have you covered in no time.

OpenSSL 1 support is dropped from the regular #curl releases but is available as a commercial offer.

This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.

And the year isn't over yet.

If you've been wanting to speak securely to your garage door or whatever MQTTS capable devices you want to control with your #curl command lines, look no further:

(this is planned to merge in time for the March 2026 release)

github.com/curl/curl/pull/1941…

mqtt: initial support for MQTTS by bagder · Pull Request #19418 · curl/curl

test cases documentation

^GitHub

When you‘re low on RAM, I recommend using a recent #curl for your internet transfers.

It can shuffle gigabytes back and forth using a few MB of your memory (mostly used by openssl).

If you develop an application, you can use #libcurl to gain its benefits.

Need to shape your traffic? For example bc you run a streaming service? #libcurl does that for you for all HTTP versions.

Today, twenty-nine awesome years ago, httpget 0.2 shipped. Unfortunately, both the source and the changelog for this release have been lost in time (like tears in rain).

httpget was the precursor to what later would become #curl

The internet, and the web, was different in 1996.

Five years ago I started getting these emails about #curl from NASA. Months later we learned this probably was related to them using curl in the Mars Helicopter mission.

daniel.haxx.se/blog/2020/12/17…

curl supports NASA

Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA.

^{daniel.haxx.se}

20,000 issues on GitHub

daniel.haxx.se/blog/2025/12/16…

#curl

20,000 issues on GitHub

The curl project moved over its source code hosting to GitHub in March 2010, but we kept the main bug tracker running like before - on Sourceforge. It took us a few years, but in 2015 we finally ditched the Sourceforge version fully.

^{daniel.haxx.se}

"Can #curl avoid to be in a future funnily named exploit that shakes the world?"

I blogged this eleven years ago and the story remains almost identical today...

daniel.haxx.se/blog/2014/12/15…

Can curl avoid to be in a future funnily named exploit that shakes the world?

During this year we've seen heartbleed and shellshock strike (and a  few more big flaws that I'll skip for now).

^{daniel.haxx.se}

On this day **fifteen years ago**, we shipped #curl 7.21.3 that introduced both --resolve and --xattr.

curl.se/docs/manpage.html#--re…

curl.se/docs/manpage.html#--xa…

curl.se/ch/7.21.3.html

#curl 8.18.0-rc2 is here. Take it for a spin and let us know!

curl.se/rc/

Limit the (#curl) URL size more?

curl.se/mail/lib-2025-12/0014.…

TODO: consider a multi-threaded #curl tool

github.com/curl/curl/pull/1997…

TODO: consider a multi-threaded curl tool by bagder · Pull Request #19971 · curl/curl

^GitHub

Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)

github.com/curl/curl/blob/28d2…

curl/lib/urlapi.c at 28d27570fa021011b8679344d090772fea49d0d1 · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

^GitHub

With 20 days left to next #curl release

Stats so far this cycle:

Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)

We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)

All three found with AI powered tooling.

So it is happening.

Cartero looks solid!

But for a fair comparison, let's put #curl on the chart.

On this day six years ago, we learned that mr Robot curls:

daniel.haxx.se/blog/2019/12/10…

Exactly three years later, still this date, we found a #curl sighting in the movie Silk Road:

daniel.haxx.se/blog/2022/12/10…

Mr Robot curls

The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a "curl sighting" in the show and very well I took a closer peek and what do we see some 37 minutes 36 secon…

^{daniel.haxx.se}

⭐ ⭐ ⭐ ⭐ ⭐

The #curl repo on GitHub surpassed 40K stars: github.com/curl/curl

⭐ ⭐ ⭐ ⭐ ⭐

GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

^GitHub

Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.

My previous write-up on the rather lame injected problems they found:

daniel.haxx.se/blog/2025/10/22…

AIxCC curl details

At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.

^{daniel.haxx.se}

#curl 8.18.0-rc1 is here => curl.se/rc/

As always, we appreciate if you can take it for a spin and verify that there are no regressions for your use cases.

The pending release notes are here: curl.se/dev/release-notes.html

12 screenshots and one video. On a claimed #curl problem that even in the title says *test suite*

Beware of the strong AI smell on this one.

hackerone.com/reports/3452725

curl disclosed on HackerOne: Title: Use-After-Free in cURL Test...

**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle** ```c /*************************************************************************** * ...

^HackerOne

A new Hackerone issue was submitted for #curl and I had it closed as not applicable within four minutes. A new personal record I believe.

(It will be disclosed asap.)

Today December 4, at 18:00 CET I will talk tiny #curl. With a bird-themed slide set!

us02web.zoom.us/webinar/regist…

Reminder. #curl runs in all your devices. So I made a slide to show some of them.

(yeah, I've used and shown this slide numerous times before and I will probably do it again...)

Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl

ndcsecurity.com/speakers/danie…

NDC Security Oslo 2026

NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.

^NDC

We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html

If you have opinions on any of those, speak up on the mailing list asap.

over the weekend we did:

hackerone_count += 2;

Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.

curl.se/dashboard1.html#hacker…