Haxx Security Vulnerabilities (CVEs)
Track 27 security vulnerabilities affecting Haxx products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in libcurl allows SSH-based transfers (SCP/SFTP) to accept connections to hosts not listed in the specified known_hosts file if tho...
Jan 8, 2026Curl incorrectly uses SSH agent authentication for SCP/SFTP transfers even when explicitly configured for public key authentication. This allows attac...
Jan 8, 2026This vulnerability in curl allows OAuth2 bearer tokens to be incorrectly passed during cross-protocol redirects from HTTP(S) to IMAP, LDAP, POP3, or S...
Jan 8, 2026A TLS certificate validation vulnerability in libcurl where reusing easy or multi handles with altered CURLSSLOPT_NO_PARTIALCHAIN options could cause ...
Jan 8, 2026A certificate pinning bypass vulnerability in curl allows attackers to impersonate servers when specific conditions are met. The vulnerability affects...
Jan 8, 2026CVE-2025-14017 is a thread safety vulnerability in libcurl's LDAPS implementation where TLS option changes in one thread affect all concurrent LDAPS t...
Jan 8, 2026CVE-2025-10966 is a vulnerability in curl's SSH connection management when using SFTP with the wolfSSH backend, where host verification mechanisms wer...
Nov 7, 2025A vulnerability in curl's WebSocket implementation uses a fixed 32-bit mask pattern for all outgoing frames instead of generating new random masks per...
Sep 12, 2025A denial-of-service vulnerability in libcurl's WebSocket implementation allows a malicious server to send a crafted packet that traps libcurl in an en...
Jun 7, 2025libcurl versions 8.9.0 through 8.10.0 fail to verify TLS certificates for QUIC connections when URLs contain IP addresses instead of hostnames. This a...
May 28, 2025libcurl incorrectly closes the same eventfd file descriptor twice during threaded name resolution cleanup, causing a use-after-free condition. This vu...
Feb 5, 2025CVE-2024-6197 is a memory corruption vulnerability in libcurl's ASN.1 parser where invalid UTF-8 strings trigger improper free() calls on stack memory...
Jul 24, 2024CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push headers exceed the 1000-header limit. This allows attacker...
Mar 27, 2024CVE-2023-38039 is a memory exhaustion vulnerability in curl/libcurl where a malicious server can send unlimited HTTP headers, causing curl to consume ...
Sep 15, 2023This vulnerability in curl versions before 8.1.0 causes information disclosure when reusing a handle between PUT and POST requests. It affects applica...
May 26, 2023CVE-2023-28319 is a use-after-free vulnerability in curl/libcurl versions before 8.1.0 that occurs during SSH server public key verification. When ver...
May 26, 2023A vulnerability in curl versions before 8.0 allows attackers to inject malicious content during TELNET protocol negotiation when user input is accepte...
Mar 30, 2023A path traversal vulnerability in curl's SFTP implementation allows attackers to bypass path filtering by using specially crafted paths containing til...
Mar 30, 2023A vulnerability in curl versions before 7.88.0 causes HSTS (HTTP Strict Transport Security) to fail when processing multiple URLs sequentially on the ...
Feb 23, 2023This vulnerability in libcurl allows an attacker to cause memory corruption or data leakage when reusing a handle from a PUT to a POST request. Applic...
Dec 5, 2022CVE-2022-32207 is a privilege escalation vulnerability in curl versions before 7.84.0 where file permission widening occurs during atomic file operati...
Jul 7, 2022The curl URL parser incorrectly accepts percent-encoded URL separators like '/' in hostnames, allowing attackers to bypass filters and checks by makin...
Jun 2, 2022libcurl incorrectly reuses TLS/SSH connections when security settings have changed, potentially allowing sensitive data to be transmitted over less se...
Jun 2, 2022This curl vulnerability allows information disclosure when an attacker can force curl to reuse an existing IPv6 connection from the pool with a differ...
Jun 2, 2022This vulnerability in curl versions before 7.83.1 could cause the wrong file to be deleted when using the --no-clobber option with --remove-on-error. ...
Jun 2, 2022This vulnerability allows attackers to trick libcurl applications into using a malicious client certificate instead of the intended one when running i...
Aug 5, 2021CVE-2021-22901 is a use-after-free vulnerability in curl/libcurl that allows a malicious TLS 1.3 server to potentially execute arbitrary code on the c...
Jun 11, 2021Why Monitor Haxx Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 27+ known vulnerabilities affecting Haxx products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Haxx packages in under 60 seconds. No agents required - completely agentless scanning that works across Haxx deployments.
Free vulnerability database: Access detailed information about every Haxx CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Haxx CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
