curl disclosed on HackerOne: WebSocket Fragmentation DoS on Curl...

### Summary A malicious WebSocket server can send a fragmented message (FIN=0) followed by a flood of continuation frames, causing the client (curl) to continuously allocate memory while waiting...

SCP/SFTP: Fix sftp_statemachine busyloop when *block=true by sunriseL · Pull Request #18311 · curl/curl

sftp_download_stat, sftp_upload_init, sftp_quote_stat, sftp_readdir will translate LIBSSH2_ERROR_EAGAIN to CURLE_OK and set *block to TRUE, but outer loop do not check *block, result in busy loop

curl disclosed on HackerOne: ## Title Heap Use-After-Free...

## Summary A **Use-After-Free (UAF)** vulnerability was discovered in `curl` at **`curl_trc.c:195`**. When processing specially crafted input, the code accesses memory after it has already been...

curl release candidates

cookie: remove expired cookies before listing by xfangfang · Pull Request #18299 · curl/curl

If the cookie returned by the server is expired, curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies) will still retrieve one expired cookie(Only the last one). Below is the test code: server...

My Midnight Battle with a curl Command

My Midnight Battle with a curl Command A story of PowerShell, a annoying bug, and what stood between me and a dream internship in Japan. Obviously every problem has its own background story, It was …

car brands running curl

Seven years ago I wrote about how a hundred million cars were running curl and as I brought up this blog post in a discussion recently, I came to reflect over how the world might have changed since. Is curl perhaps used in more cars now? Yes it is.

docs: mention new default value for CURLOPT_HTTP_VERSION by gmta · Pull Request #18273 · curl/curl

Fixes #18272.

curl - Changes in 5.10

curl-mirror

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS…

Curl: A future off HackerOne?

A hundred million cars run curl

One of my hobbies is to collect information about where curl is used. The following car brands feature devices, infotainment and/or navigation systems that use curl - in one or more of their models.

HackerOne

curl tells the %time

The curl command line option --write-out or just -w for short, is a powerful and flexible way to extract information from transfers done with the tool. It was introduced already back in version 6.5 in the early 2000.

curl vs Wget

Documentation and ramblings of Daniel Stenberg, founder and lead developer of curl.

libcurl: Reset rewind flag in curl_easy_reset() by oxan · Pull Request #18207 · curl/curl

curl_easy_reset() did not reset the rewind_read flag. This caused any handles that previously had a CURLE_SEND_FAIL_REWIND error to get stuck with that error, failing any subsequent requests, even ...

curl disclosed on HackerOne: Use After Free (that leads to...

## Summary: - Use-After-Free vulnerability that leads to arbitrary write/READ YES, I used IA along with mermaind editor (online one) to generate this graph that show these paths for...

Update BINDINGS.md by Qriist · Pull Request #18195 · curl/curl

Add LibQurl to the list of known binding libraries. EDIT: I noticed that my PR comment maaaybe sounds more like an order than the simple description it was intended to be. Sorry! ^^;

Follow redirects but differently

In the early days of curl development we (I suppose it was me personally but let's stick with we so that I can pretend the blame is not all on me) made the possibly slightly unwise decision to make the -X option change the HTTP method for all request…

Output unescaped utf8 x509 issuer/subject DNs by unRob · Pull Request #18171 · curl/curl

What I'm trying to fix: I have certificates where the issuer DN has accented characters (encoded as utf8 strings) and I'd like curl -v to render these characters properly, instead of showin...

hostip: cache negative name resolves by bagder · Pull Request #18157 · curl/curl

Hold them for half the normal lifetime. Helps when told to transfer N URLs in quick succession that all use the same non-resolving hostname. Done by storing a DNS entry with a NULL pointer for '...

c10kday

From March 20, 1998 when the first curl release was published, to this day August 5, 2025 is exactly 10,000 days. We call it the curl-10000-day. Or just c10kday. c ten K day. We want to celebrate this occasion by collecting and sharing stories.

curl turns 10,000 days · curl curl · Discussion #17930

On August 5 2025, it is exactly 10,000 days since March 20 1998 when the first curl release was done. For this occasion we want to collect fun, exciting, or interesting stories that involve curl an...

secs2ms(): Changes to digs[5] and digs sizeof sizeof by Sackzement · Pull Request #18167 · curl/curl

First commit changes this: long val; secs2ms(&val, "1.23456"); // val = 1234 // ok secs2ms(&val, "1.234567"); // val = 1023 // should be 1234 secs2ms(&val, "...

curl: add --follow by bagder · Pull Request #16543 · curl/curl

Makes curl follow redirects an act on the response code and change a custom method accordingly, contrary to --location. Potential future command line to send QUERY and following a redirect accordin...

Even happier eyeballs

Back in 2012, the Happy Eyeballs RFC 6555 was published. It details how a sensible Internet client should proceed when connecting to a server.

wget Removed from Ubuntu Server 25.10 Default Install

Ubuntu Server 25.10 removes wget from its default installation, in favour of the wcurl tool. Here's why the change was made and if it'll affect you.

writeout: add %time{} by bagder · Pull Request #18119 · curl/curl

Output the current UTC time using strftime format. %f is an extra curl specific flag to output the microsecond fraction of the current second. TODO decide if we want this at all is the strftime ...