Daniel Stenberg

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** A flaw exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is performed in clear-text via IMAP, SMTP, or POP3, a subsequent request to the same host bypasses the TLS requirement and transmits data unencrypted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** When using libcurl to perform a transfer over a specific HTTP proxy (`proxyA`) with Digest authentication and subsequently changing the proxy host to a second one (`proxyB`) while reusing the same handle, libcurl incorrectly sends the `Proxy-Authorization:` header intended for `proxyA` to `proxyB`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** When configured to use a `.netrc` file for credentials and to follow HTTP redirects, libcurl may leak the password used for the initial host to the subsequent host during the redirect process under certain circumstances. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** When using libcurl, a flaw exists where a custom `Host:` header set for an initial HTTP request can cause subsequent requests using the same easy handle to use stale information. If the second request is made without a custom `Host:` header, it may leak cookies intended for the first host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** curl may erroneously pass credentials intended for a first proxy to a second proxy. This occurs when curl is configured to use different proxies for different URL schemes, the first proxy requires credentials, the second proxy does not, and curl is redirected from a URL using the first proxy's scheme (e.g., `http://`) to a URL using a different scheme (e.g., `https://`) that utilizes the second proxy. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** A logical error in the connection pooling mechanism may cause libcurl to reuse an incorrect connection for SMB(S) transfers. When reusing a connection, specific criteria must be met; however, a request could wrongfully reuse an existing SMB connection to the same server that utilized a different share than the subsequent transfer requires. This may result in downloading the wrong file or uploading a file to an incorrect location, provided the same credentials and server name are used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** libcurl may reuse an incorrect connection when handling Negotiate-authenticated HTTP or HTTPS requests. This occurs because libcurl maintains a pool of recent connections to avoid overhead. A logical error can cause a request to reuse a connection authenticated with different credentials than expected, as Negotiate sometimes authenticates connections rather than individual requests. Specifically, if an application authenticates with `user1:password1` and then attempts another operation with `user2:password2` while the first connection remains active, the second request might incorrectly reuse the connection associated with `user1`. The authentication methods are configured using the `CURLOPT HTTPAUTH` option. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under certain circumstances. Specifically, if the hostname that the first request is redirected to has information in the used .netrc file, with either the `machine` or `default` keywords, curl would pass on the bearer token set for the first host to the second one. The .netrc file stores credentials, and this issue could expose sensitive tokens. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** The software lacks proper host verification when establishing SSH connections for SFTP operations using the wolfSSH backend. This flaw allows for man-in-the-middle (MITM) attacks to go undetected, as any host key is accepted. The issue stems from a flaw in the code managing SSH connections. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libcurl versions using zlib 1.2.0.3 or older Description: The issue is related to automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT ACCEPT ENCODING` option. An attacker-controlled integer overflow can cause libcurl to perform a buffer overflow when using zlib 1.2.0.3 or older. This can potentially allow a remote attacker to bypass the ASLR protection mechanism, execute arbitrary code, or cause a denial of service. Recommendations: For libcurl versions using zlib 1.2.0.3 or older, consider disabling the `CURLOPT ACCEPT ENCODING` option as a temporary workaround until a patch is available. Restrict access to the vulnerable zlib library to minimize the risk of exploitation. Avoid using the `CURLOPT ACCEPT ENCODING` option with zlib versions 1.2.0.3 or older until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libcurl (affected versions not specified) Description: The issue arises when libcurl wrongly closes the same eventfd file descriptor twice after completing a threaded name resolve and taking down a connection channel. This problem occurs due to incorrect handling of the eventfd file descriptor. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl versions prior to 7.87.0-150400.7.26.1 openSUSE Leap 15.6 (affected versions not specified) SUSE Linux Enterprise Server 15 SP4 (affected versions not specified) **Description** The issue relates to libcurl's handling of TLS options during multi-threaded LDAPS (LDAP over TLS) transfers. Modifying TLS options within one thread unintentionally alters them globally, potentially impacting other concurrent transfers. Specifically, disabling certificate verification for a single transfer could inadvertently disable it for all threads. This could lead to insecure connections and potential compromise of sensitive data. The issue is also described as a heap buffer overflow in curl, potentially allowing Remote Code Execution (RCE) via malicious SOCKS5 proxy responses. **Recommendations** Update libcurl to version 7.87.0-150400.7.26.1 or later. Apply the security update SUSE-2026-0078-1. Update openSUSE Leap 15.6 to the latest available version. Update SUSE Linux Enterprise Server 15 SP4 to the latest available version.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.74.0-1.3+deb11u16 curl (affected versions not specified) **Description** curl contains an out-of-bounds read issue in the cookie path comparison logic. This occurs when a secure cookie set via HTTPS is followed by a redirection to an insecure HTTP site using the same cookie name and a path of '/'. The vulnerability stems from a flaw in the path comparison logic, potentially leading to crashes or allowing insecure sites to override secure cookie contents. The issue arises when curl reads beyond heap buffer boundaries. The vulnerability could allow an attacker to control an HTTP site with the same name as the HTTPS version or perform a Man-in-the-Middle (MITM) attack. **Recommendations** Upgrade to curl version 7.74.0-1.3+deb11u16 or later. Upgrade to the latest available version of curl.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** When utilizing the `CURLOPT PINNEDPUBLICKEY` option in libcurl or the `--pinnedpubkey` option with the curl tool, the software should verify the server certificate's public key to confirm the peer's identity. A condition existed where this check was bypassed, allowing connections without proper verification and potentially enabling connections to an impostor. This occurred specifically when using QUIC with ngtcp2 built to use GnuTLS, and when standard certificate verification was explicitly disabled. The vulnerable component is the public key verification process when using pinned public keys. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** A bearer token leak occurs on a cross-protocol redirect. The issue involves curl and potentially allows unauthorized access due to the leakage of sensitive authentication tokens. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** The curl software is subject to a security issue. Details regarding the nature of the issue are not available from the provided information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libssh (affected versions not specified) **Description** The libssh software contains a flaw related to a global knownhost override. This issue could potentially allow an attacker to bypass host key verification, potentially leading to man-in-the-middle attacks. The issue involves the way libssh handles known hosts, allowing for a global override of host key checks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: curl (affected versions not specified) Description: The websocket code in curl did not update the 32-bit mask pattern for each new outgoing frame, as required by the specification. Instead, a fixed mask was used throughout the entire connection. This predictable mask pattern could allow a malicious server to induce traffic between communicating parties that a proxy server might interpret as genuine HTTP traffic, potentially poisoning its cache and serving malicious content to users. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: curl versions 6.5 through 8.11.0 Description: The issue arises when curl is used with a `.netrc` file for credentials and follows HTTP redirects. Under certain circumstances, curl could leak the password used for the first host to the followed-to host. This flaw only manifests itself if the `.netrc` file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. Recommendations: For versions 6.5 through 8.11.0, upgrade to version 8.11.1 or later to mitigate the risk of credential leakage. As a temporary workaround, consider avoiding the use of `.netrc` files with curl or restricting access to sensitive information when following HTTP redirects.