I spent many hours yesterday debunking another hackerone report against #curl.
It's such a good sigh of relief when the ultimate conclusion is that it is not a vulnerability. (disclosed soon of course)
Search
Items tagged with: Curl
GitHub is a top sponsor of #curl. They make a real difference. Can you say the same about whoever you work for?
Probably old news but my mind is always blown by all the stuff #curl can do. I had zero idea that curl has a —form argument that lets you simulate filling out a form, complete with a file upload. Let me automate a super annoying task for a friend with a dead simple bash script.
We are thirteen days from next #curl release.
At 349 merged bugfixes and five(!) pending CVE announcements.
By 62 contributors out of which 30 are commit authors.
Just confirming what @cpu said here. Rustls support in #curl is not going away and we‘ll remove the experimental once rustls declares it API stable.
(and if you want more rustls, there is also github.com/icing/mod_tls)
GitHub - icing/mod_tls: rustls based TLS for Apache httpd
rustls based TLS for Apache httpd. Contribute to icing/mod_tls development by creating an account on GitHub.GitHub
There's also an curl-rustls Arch Linux package that dynamically links to rustls instead of openssl, however #curl still considers this experimental:
Microsoft: „1 engineer, 1 month, 1 million lines of code“
That would mean @bagder
rewriting 5 #curl projects into Rust in a month.
Microsoft revising the „rewrite over a weekend“ meme to it actually taking them 6 days. For a person they have not hired yet. With tools they still have to invent.
If you are a MS customer, you‘d better start putting more money into Copilot right away!
theregister.com/2025/12/24/mic…
Microsoft wants to replace its entire C and C++ codebase, perhaps by 2030
: Plans move to Rust, with help from AISimon Sharwood (The Register)
If you have ideas for a new #curl sticker design, let me know. I'm about to order a new batch soon.
Logo images to play with: curl.se/logo/
Basically the only way to get #curl stickers (without printing your own set) is to approach me when I show up somewhere to talk.
The next big chance is at #FOSDEM where I usually give away **thousands** of curl stickers.
It is always fine to pick a few extra to hand out to your friends and grandparents.
a #curl 2025 review
daniel.haxx.se/blog/2025/12/23…
A curl 2025 review
Let's take a look back and remember some of what this year brought. commits At more than 3,400 commits we did 40% more commits in curl this year than any single previous year! Since at some point during 2025, all the other authors in the project have…daniel.haxx.se
1. User complains to #hackerone that I named his *previous* name when he renamed himself to a silly name after I banned them in a #curl report filed back in October.
2. Hackerone asks me to respond on their support forum, on which I have no account. Grrr. I refuse to.
3. Replying to the hackerone email about this instead, I get a bounce saying they don't accept emails on support@hackerone ...
Kill me now.
Joshua Rogers on his bug bounty experiences in 2025.
Positive for #curl, kafka-esque for all others mentioned. ‚BugCrowd‘ seems to a typical level-1 support company living on denials.
(Joshua also reported on Apache and pbly other projects where he could talk to the maintainers. I take #curl here as an example for FOSS projects interested in actually securing things.)
joshua.hu/2025-bug-bounty-stor…
My 2025 Bug Bounty Stories
A recap of my 2025 bug bounty experiences, featuring failures and stories from Google Cloud, GitHub, Vercel, Opera, and others.Joshua Rogers (Joshua Rogers’ Scribbles)
I added a sentence to the #curl hackerone submission page:
"Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of lines that will exhaust us to death instead of making us understand your claim."
We end the year with 6 more #curl command line options than we had last new year's eve; now at 273 in total.
This is a notification I get when someone signs up and donates money to the #curl project via Open Collective: opencollective.com/curl
*Twelve* Hackerone submissions against #curl within the last seven days.
Zero of them turned out a confirmed vulnerability.
Several of them found, reported, phrased-in-far-too-many-words and mislead by stupid word completion machines.
If you've been wanting to speak securely to your garage door or whatever MQTTS capable devices you want to control with your #curl command lines, look no further:
(this is planned to merge in time for the March 2026 release)
github.com/curl/curl/pull/1941…
mqtt: initial support for MQTTS by bagder · Pull Request #19418 · curl/curl
test cases documentationGitHub
When you‘re low on RAM, I recommend using a recent #curl for your internet transfers.
It can shuffle gigabytes back and forth using a few MB of your memory (mostly used by openssl).
If you develop an application, you can use #libcurl to gain its benefits.
Need to shape your traffic? For example bc you run a streaming service? #libcurl does that for you for all HTTP versions.
Today, twenty-nine awesome years ago, httpget 0.2 shipped. Unfortunately, both the source and the changelog for this release have been lost in time (like tears in rain).
httpget was the precursor to what later would become #curl
The internet, and the web, was different in 1996.
Five years ago I started getting these emails about #curl from NASA. Months later we learned this probably was related to them using curl in the Mars Helicopter mission.
daniel.haxx.se/blog/2020/12/17…
curl supports NASA
Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA.daniel.haxx.se
20,000 issues on GitHub
daniel.haxx.se/blog/2025/12/16…
#curl
20,000 issues on GitHub
The curl project moved over its source code hosting to GitHub in March 2010, but we kept the main bug tracker running like before - on Sourceforge. It took us a few years, but in 2015 we finally ditched the Sourceforge version fully.daniel.haxx.se
Welcome Sergey Katsubo as #curl commit author 1426: github.com/curl/curl/pull/1998…
docs: fix time_posttransfer output unit as seconds by skatsubo · Pull Request #19986 · curl/curl
In a couple of places in docs time_posttransfer's output is mentioned as milliseconds while it is actually unit of seconds.GitHub
"Can #curl avoid to be in a future funnily named exploit that shakes the world?"
I blogged this eleven years ago and the story remains almost identical today...
daniel.haxx.se/blog/2014/12/15…
Can curl avoid to be in a future funnily named exploit that shakes the world?
During this year we've seen heartbleed and shellshock strike (and a few more big flaws that I'll skip for now).daniel.haxx.se
On this day **fifteen years ago**, we shipped #curl 7.21.3 that introduced both --resolve and --xattr.
curl.se/docs/manpage.html#--re…
Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)
github.com/curl/curl/blob/28d2…
curl/lib/urlapi.c at 28d27570fa021011b8679344d090772fea49d0d1 · curl/curl
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
With 20 days left to next #curl release
Stats so far this cycle:
Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)
We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)
All three found with AI powered tooling.
So it is happening.