When you‘re low on RAM, I recommend using a recent #curl for your internet transfers.
It can shuffle gigabytes back and forth using a few MB of your memory (mostly used by openssl).
If you develop an application, you can use #libcurl to gain its benefits.
Need to shape your traffic? For example bc you run a streaming service? #libcurl does that for you for all HTTP versions.
Today, twenty-nine awesome years ago, httpget 0.2 shipped. Unfortunately, both the source and the changelog for this release have been lost in time (like tears in rain).
httpget was the precursor to what later would become #curl
The internet, and the web, was different in 1996.
Five years ago I started getting these emails about #curl from NASA. Months later we learned this probably was related to them using curl in the Mars Helicopter mission.
daniel.haxx.se/blog/2020/12/17…
Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA.daniel.haxx.se
20,000 issues on GitHub
daniel.haxx.se/blog/2025/12/16…
#curl
The curl project moved over its source code hosting to GitHub in March 2010, but we kept the main bug tracker running like before - on Sourceforge. It took us a few years, but in 2015 we finally ditched the Sourceforge version fully.daniel.haxx.se
In a couple of places in docs time_posttransfer's output is mentioned as milliseconds while it is actually unit of seconds.GitHub
"Can #curl avoid to be in a future funnily named exploit that shakes the world?"
I blogged this eleven years ago and the story remains almost identical today...
daniel.haxx.se/blog/2014/12/15…
During this year we've seen heartbleed and shellshock strike (and a few more big flaws that I'll skip for now).daniel.haxx.se
On this day **fifteen years ago**, we shipped #curl 7.21.3 that introduced both --resolve and --xattr.
curl.se/docs/manpage.html#--re…
Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)
github.com/curl/curl/blob/28d2…
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
With 20 days left to next #curl release
Stats so far this cycle:
Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)
We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)
All three found with AI powered tooling.
So it is happening.
On this day six years ago, we learned that mr Robot curls:
daniel.haxx.se/blog/2019/12/10…
Exactly three years later, still this date, we found a #curl sighting in the movie Silk Road:
daniel.haxx.se/blog/2022/12/10…
The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a "curl sighting" in the show and very well I took a closer peek and what do we see some 37 minutes 36 secon…daniel.haxx.se
⭐ ⭐ ⭐ ⭐ ⭐
The #curl repo on GitHub surpassed 40K stars: github.com/curl/curl
⭐ ⭐ ⭐ ⭐ ⭐
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.
My previous write-up on the rather lame injected problems they found:
daniel.haxx.se/blog/2025/10/22…
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.daniel.haxx.se
curl_formget() accepts a user-provided callback function but does not validate it is non-NULL before calling it. If a caller passes NULL, the function will crash with SIGSEGV. Add NULL check at the...GitHub
#curl 8.18.0-rc1 is here => curl.se/rc/
As always, we appreciate if you can take it for a spin and verify that there are no regressions for your use cases.
The pending release notes are here: curl.se/dev/release-notes.html
12 screenshots and one video. On a claimed #curl problem that even in the title says *test suite*
Beware of the strong AI smell on this one.
**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle** ```c /*************************************************************************** * ...HackerOne
The Bug We noticed that using IPv6 CIDR-Notation in a NO_PROXY env var doesn't have the desired effect, contrary to what the documentation at https://everything.curl.dev/usingcurl/proxies/env.h...GitHub
A new Hackerone issue was submitted for #curl and I had it closed as not applicable within four minutes. A new personal record I believe.
(It will be disclosed asap.)
Today December 4, at 18:00 CET I will talk tiny #curl. With a bird-themed slide set!
us02web.zoom.us/webinar/regist…
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Reminder. #curl runs in all your devices. So I made a slide to show some of them.
(yeah, I've used and shown this slide numerous times before and I will probably do it again...)
Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl
ndcsecurity.com/speakers/danie…
NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.NDC
We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html
If you have opinions on any of those, speak up on the mailing list asap.
over the weekend we did:
hackerone_count += 2;
Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.
On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…
It will be made available on video after the fact.
tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Someone invoked #curl on Windows powershell, saw a problem and reported it to us.
Yes. It was the dreaded alias. Again. Not a problem in "the real curl". I tried to get rid of this sorry thing, remember?
daniel.haxx.se/blog/2016/08/19…
PowerShell is a spiced up command line shell made by Microsoft. According to some people, it is a really useful and good shell alternative.daniel.haxx.se
Interesting numbers.
#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.
I have encountered an issue similar to #6358. When pausing an upload, it is not actually excluded from the low speed cancelation. The issue seems to be that the condition in the code only checks if...GitHub
