On this day nine years ago, #curl received its first security audit report.

daniel.haxx.se/blog/2016/11/23…

curl security audit

"the overall impression of the state of security and robustness of the cURL library was positive." I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago.

^{daniel.haxx.se}

Ah, #curl still in use, I see:

> otool -L ~/.cargo/bin/rustup
...
/usr/lib/libcurl.4.dylib

and cargo itself is:
~/.cargo/bin/cargo -> rustup

We try to keep it all safe to the best of our abilities.😌

Help us tweak this new document: KNOWN_RISKS.

Known risks when running and using #curl and libcurl

github.com/curl/curl/pull/1963…

KNOWN_RISKS: known risks when running and using curl and libcurl by bagder · Pull Request #19631 · curl/curl

^GitHub

In today's edition of #ChatGPT imagines a non-existent #curl feature, much to @bagder 's dismay...

As passed along by my colleague who discovered this, the prompt included: "find a website that is actually hosted on physical infrastructure in Guam"

and ChatGPT suggested one on #Akamai but then suggested using the no-existent --no-cdn flag to skip straight to the origin. Please don't take this as a suggestion to implement such a feature. 🙂

A real Hackerone #curl report title!:

"Out-of-bounds read in *** potential crash. This is sharp, <reporter name>. We've got a real memory safety bug"

The AI is helpfully cheering the guy onwards to slopping. Of course, it is a false positive.

In 2007 I did a talk about #curl at the FSCONS conference. The video is lost in time but today I realized that FSF Europe is still hosting the torrent file.

Not too many seeders of that content left though... 😎

download.fsfeurope.org/torrent…

Friends don't let friends disable TLS server verification. (#curl is used, but the check is explicitly disabled by the app)

ush.it/2025/11/14/multiple-vul…

I have already been asked how we intend to celebrate #curl's 30th anniversary next November (counted from httpget's birth)

But no, I have no idea. I'll think about that in about 11 months

Started a discussion about adding a timer notification to libcurl. If you use the "multi" interface, maybe you have an opinion?

#curl
github.com/curl/curl/
discussions/19553

GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

^GitHub

Someone is counting the #curl lines of code I touched...😇

curl.se/dashboard1.html#author…

if you are not happy on your FIPS system with modern #curl treatment of TLSv1.3, why not simply refrain from using curl?

Or take an older version and maintain it yourself.💁🏻‍♂️

github.com/curl/curl/pull/1934…

openssl: respect system crypto policy for TLS max version by jacekmigacz · Pull Request #19342 · curl/curl

When no explicit --tls-max option is provided, curl should respect OpenSSL's system-wide crypto policy configuration instead of overriding it. Previously, curl called SSL_CTX_set_max_proto_vers...

^GitHub

Parsing integers in C. Aka "bye bye atoi".

daniel.haxx.se/blog/2025/11/13…

#curl #development

Parsing integers in C

In the standard libc API set there are multiple functions provided that do ASCII numbers to integer conversions. They are handy and easy to use, but also error-prone and quite lenient in what they accept and silently just swallow.

^{daniel.haxx.se}

• 1000 (16%, 179 votes)
• 1024 (83%, 904 votes)

Twenty-nine years ago on this day, #httpget 0.1 was released.

I found the tool a few days later and within a few months I became the maintainer. We later renamed it. Twice. The last name it got is #curl. It stuck.

httpget was my first insight and lesson into HTTP and since then I have kept learning it.

httpget 0.1 was written by Rafael Sagula, who unfortunately is not with us anymore.

six #curl security reports received within the last eight hours

I'm not getting the sense that things are improving.

"#curl working as intended is a vulnerability"

Ok I paraphrased the title but this onslaught is a bit exhausting...

hackerone.com/reports/3418646

curl disclosed on HackerOne: Arbitrary Configuration File...

## Summary: The Arbitrary Configuration File Inclusion (ACFI) vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name...

^HackerOne

one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".

We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.

Here's a recent one.

hackerone.com/reports/3418616

curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...

SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ### Executive Summary curl/libcurl contains a CRLF...

^HackerOne

In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems?

And that's only for the issues we received this weekend.

You'd think merging on average eight bugfixes per day during the last #curl release cycle we would slow down a little now.

5 days after the release we are at:

Bugfixes logged: 48 (9.43 per day)

Has the time come to pull the plug for #RTMP in #curl?

curl.se/mail/lib-2025-11/0008.…

#curl speaks #MQTT but rather limited and in a slightly naive fashion. Feel free to help us improve.

curl.se/docs/todo.html#MQTT

In #curl land, @vsz made a CI job that builds curl with fil-C and it runs the tests fine. Just slightly limited due to lack of dependencies as they all need to be built with fil-C as well.

github.com/curl/curl/pull/1939…

GHA/linux: add minimal Fil-C build with tests by vszakats · Pull Request #19391 · curl/curl

Requirements for Fil-C: not to accidentally pick up system headers. E.g. from /usr/include on Linux. It can happen when any dependency is auto-detected on this header path. This makes Fil-C find t...

^GitHub

Long post by Devansh on AI slop in bug bounties with lots of #curl references:

devansh.bearblog.dev/ai-slop/

On AI Slop vs OSS Security

I have spent the better part of a decade in the bug bounty industry, and my perspective on this industry is shaped by this experience. The first five year...

^devansh

Homebrew is planning to enable Apple's SecTrust use in #curl. Nice to see them bringing this to their users!

#homebrew

github.com/Homebrew/homebrew-c…

curl: Enable Apple SecTrust support by ismail · Pull Request #253125 · Homebrew/homebrew-core

This enables native CA certificates support on macOS Have you followed the guidelines for contributing? Have you ensured that your commits follow the commit style guide? Have you checked that ...

^GitHub

24 hours since a dot-zero #curl release with 400+ bugfixes and not a single annoying regression reported yet.

I'm not sure how to handle this.

1 open #curl issue for some Kerberos header file on IBM OS400 platforms…

I expected more from you…🦧