#curl 8.16.0

youtu.be/n9RRiAOlT-A

curl 8.16.0 with Daniel Stenberg

Daniel presents the security vulnerabilities, the changes, bugfixes in 8.16.0 and what might possibly be coming next.

^YouTube

#curl 8.16.0 was just released:

daniel.haxx.se/blog/2025/09/10…

I will live-stream a release presentation at 10:00 CEST on twitch

curl 8.16.0

Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0.

^{daniel.haxx.se}

There's going to be more speak about AIs finding genuine security problems soon.

Google Big Sleep found one in #curl that we reveal tomorrow.... in about eight hours. (but no, we don't know how much was AI and how much was human or how many false positives they had to wade through to get there etc maybe they will let us know later?)

This second, there are 213 people joined in the official #curl IRC channel.

curl.se/docs/irc.html

if there ever is a major incident in #curl, we now have a documented approach on how to work through it

daniel.haxx.se/blog/2025/09/09…

preparing for the worst

One of these mantras I keep repeating is how we in the curl project keep improving, keep polishing and keep tightening every bolt there is.

^{daniel.haxx.se}

48 hours to #curl release

At **4** open issues: github.com/curl/curl/issues

curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

^GitHub

Working on a way to have #curl -w able to output the contents of all headers with a set name even from a redirect-"chain":

github.com/curl/curl/pull/1849…

write-out: make %header{} able to output *all* occurances of a header by bagder · Pull Request #18491 · curl/curl

By appending :all:[separator] to the header name. The [separator] string is output between each header value if there are more than one to output. Test 764 verifies Idea-by: kapsiR on github Ref: #...

^GitHub

About that enhanced WebSocket support in the next curl release, e.g. next Wednesday:
#curl #websocket

eissing.org/icing/posts/curl-w…

major incident section added to the #curl vulnerability disclosure policy

github.com/curl/curl/pull/1848…

by @jimfuller

In this newly disclosed #curl security report it is painfully obvious how the user's "clever" idea of using an AI to write the report made the report into a impenetrable wall of text instead of simply stating the problem in a few coherent paragraphs.

hackerone.com/reports/3324901

curl disclosed on HackerOne: libcurl: Host-Only Cookies Leak to...

libcurl canonicalizes numeric IPv4 hostnames during URL parsing and redirect handling (example: 127.000.000.001 to 127.0.0.1). When a host-only cookie (no Domain= attribute) is set, it is stored in...

^HackerOne

Having ongoing discussions about URL parsing differences as a basis for a #curl security vulnerability report made me check when I wrote my "my URL isn't your URL" blog post.

*Nine years ago*. And we have not made a single move towards a solution in all this time.

daniel.haxx.se/blog/2016/05/11…

My URL isn’t your URL

When I started the precursor to the curl project, httpget, back in 1996, I wrote my first URL parser. Back then, the universal address was still called URL: Uniform Resource Locators. That spec was published by the IETF in 1994.

^{daniel.haxx.se}

Digital Extremes violate the #cURL license?

github.com/curl/curl/discussio…

If they do, that's a shame but there's not a lot I can do. Anyone who can verify this claim? (probably by scanning the binaries for known names or similar)

Digital Extremes violate the cURL license · curl curl · Discussion #18474

Hi, I just want to let you know (and have there be a record) of the fact that Digital Extremes, a Canadian video-game-developer-turned-GaaS-developer, are using cURL (statically linked alongside Op...

^GitHub

Today is exactly twelve years ago since we created the lib/http2.c source file in the #curl source tree, and doing HTTP would never be the same again.

The paradigm shift going from one transfer per connection to possibly multiple transfers per connection was massive and took many years until most of the bugs were ironed out.

On September 28, I will speak at #EuroBSDCon in Zagreb Croatia.

But more importantly, I will bring #curl stickers.

2025.eurobsdcon.org/

Is it time for DANE support in #curl ?

curl.se/mail/lib-2025-09/0000.…

In the curl release after the next, there is a nice feature coming for event-based applications: notifications.

Some numbers on possible performance/cpu use improvements in the PR, ymmv.
#curl

github.com/curl/curl/pull/1843…

multi notifications by icing · Pull Request #18432 · curl/curl

An implementation of the discussion #17817, adding a "notification" feature to the multi handle. Notification types INFO_READ and EASY_DONE implemented Notification types expected to gro...

^GitHub

#curl is dropping support for OpenSSL 1.x soon

daniel.haxx.se/blog/2025/08/28…

Dropping old OpenSSL

curl added support for OpenSSL immediately when it was first released, as they switched away from SSLeay, in the late 1990s. We have since supported it over the decades as both OpenSSL and curl have developed.

^{daniel.haxx.se}

We are thirteen days away from next #curl release.

We have 17 changes and 225 bugfixes logged so far for this.

One low severity CVE will be published in sync with this release.

Thanks for flying curl.

Today we celebrate seven years of #curl shipping official Windows executables, thanks to @vsz's awesome work.

Blog post from back then:
daniel.haxx.se/blog/2018/08/27…

Blessed curl builds for Windows

The curl project is happy to introduce official and blessed curl builds for Windows for download on the curl web site. This means we have a set of recommended curl packages that we advice users on Windows to download.

^{daniel.haxx.se}

It took me 4 seconds to figure out that the grey elements are not partvof the graph (to indicate trends or something) but the curl logo.

#curl

"Yesterday, Wikipedia received over 45 million requests made with #curl, from 113 distinct curl releases."

gitlab.wikimedia.org/-/snippet…

20250826-webrequest-curl ($247) · Snippets · GitLab

GitLab Community Edition

^GitLab

Inspired by the BBC Tech report from @tdp_org, I looked at Wikipedia.

Yesterday, Wikipedia received over 45 million requests made with curl, from 113 distinct curl releases.

Of these, 32 million use the default UA (e.g. curl CLI). The other 13 million embed libcurl with a longer UA string containing curl (e.g. GuzzleHttp/PHP, PycURL, UnityPlayer)

At 12 million, most are curl/7.88.1.

Raw data, queries, and scrub/cleaning parameters:
gitlab.wikimedia.org/-/snippet…

#browserstats #curl #wikipedia

Very entertaining & educational keynote on #curl at #OSSummit

Amazing how much curl is involved in driving our modern world.

#Thanks Daniel Stenberg!