It's about sustainability too. #curl is a small project. We cannot spend multiple hours every day arguing with people who want money for having found what is perhaps a bug - but often is not even that.

It drains us. It drowns us.

Onward and upward!

It is our moral imperative to consider the "real world" and actual users when assessing the possible security impact of a reported #curl issue. If we deem that there is likely to be zero affected users, then we do more damage than good by insisting on doing the security dance for the issue.

Then we end up with a severity level that is below LOW, and then we treat it as a bug instead. For the good of mankind.

To be frank: the report quality on Hackerone is so low by now that the #curl team decided to make CVEs based only on the coolness of the reporter‘s username.

💁🏻‍♂️😌

On the morning of the 13th day of the year we have received *checks notes* 13 #curl vulnerability reports on Hackerone this year.

None a confirmed vulnerability.

Working on #curl‘s rate limiting again today. It‘s a fun challenge to get this „right“.

Just a few users of this feature, though. Like Steam, Roku and Netflix. That I know of, at least.

Do you use rate limiting transfers? Do you know anyone besides #curl offering this?

Augment (which gave the #curl project free access) is changing pricing (again) in what seems to be a 10x increase.

Augment pricing changes from ‚messages‘ (number of answer which you control) to ‚credit‘ (which is effort controlled by Augment).

And this is probably still not enough to cover their real costs, not even speaking of profit.

Wherever you stand on the LLM debate, don‘t become dependant on those companies. Their business model sucks.

theregister.com/2025/10/15/aug…

AI startup Augment scraps 'unsustainable' pricing, users say new model is 10x worse

: Second huge increase in six months sees some devs heading for the exit

^{Tim Anderson (The Register)}

In this latest #curl release, we are now three persons having our names on >10,000 lines of product code when doing git blame. @icing, @vsz and myself.

10 separate people have their names on 1000+ lines.

#curl 8.18.0 with Daniel Stenberg

youtu.be/QVxFW6eqG_c

curl 8.18.0 with Daniel Stenberg

Daniel talks about the six(!) new security advisories, the changes and the most important bugfixes from the curl 8.18.0 release.

^YouTube

#curl 8.18.0 has been released. This release fixes 2 medium and 4 low level vulnerabilities:
- CVE-2025-13034: No QUIC certificate pinning with GnuTLS curl.se/docs/CVE-2025-13034.ht…
- CVE-2025-14017: broken TLS options for threaded LDAPS curl.se/docs/CVE-2025-14017.ht…
- CVE-2025-14524: bearer token leak on cross-protocol redirect curl.se/docs/CVE-2025-14524.ht…
- CVE-2025-14819: OpenSSL partial chain store policy bypass curl.se/docs/CVE-2025-14819.ht…
- CVE-2025-15079: libssh global knownhost override curl.se/docs/CVE-2025-15079.ht…
- CVE-2025-15224: libssh key passphrase bypass without agent set curl.se/docs/CVE-2025-15224.ht…

I discovered the last 2 vulnerabilities.

Download curl 8.18.0 from curl.se/download.html

#vulnerabilityresearch #vulnerability #cybersecurity #infosec

#curl 8.18.0 has been released

daniel.haxx.se/blog/2026/01/07…

curl 8.18.0

Download curl from curl.se! Release presentation On January 7 2026, at 10:00 CET (09:00 UTC), there is a live-streamed release presentation of curl 8.18.0 done on twitch. The YouTube recording will be made available afterwards.

^{daniel.haxx.se}

I spend a ridiculous amount of my time on #curl security these days. Because I think that's my responsibility.

something something open source sustainability

The year's 6th day just started and we just clocked in our 8th hackerone report on #curl for the year.

This doesn't work.

6,000 #curl stickers. 3 Kg.

Get yours at #FOSDEM

on the fourth day of the year and we have already disclosed 6 Hackerone reports against #curl

This can only end one way.

TIL: You can get all the fancy variables out of #curl CLI via write-out as JSON. This is sooo awesome!

curl -L --silent --fail -w "\n%{json}" "svr.ls" | tail -n 1 | jq

Latest Posts

^{Serverless Industries}

26 years ago, on December 28 1999, we migrated the main #curl source code from self-hosted to Sourceforge.

It was the new hot thing. Imagine the idea of a dedicated service devoted to nothing but hosting code!

We then kept the code there for ten years (on CVS). A period when the distributed version control systems really exploded.

No strcpy either.

daniel.haxx.se/blog/2025/12/29…

#curl

no strcpy either

Some time ago I mentioned that we went through the curl source code and eventually got rid of all strncpy() calls. strncpy() is a weird function with a crappy API. It might not null terminate the destination and it pads the target buffer with zeroes.

^{daniel.haxx.se}

#curl hackerone update: one more vulnerability was confirmed legit and we have six pending CVEs now.

Only one of the submitted issues remains in triage but I'm advocating closing as N/A.