Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0.

Release presentation

Numbers

the 270th release
17 changes
56 days (total: 10,036)
260 bugfixes (total: 12,538)
453 commits (total: 36,025)
2 new public libcurl function (total: 98)
0 new curl_easy_setopt() option (total: 308)
3 new curl command line option (total: 272)
76 contributors, 39 new (total: 3,499)
32 authors, 17 new (total: 1,410)
2 security fixes (total: 169)

Security

We publish two severity-low vulnerabilities in sync with this release:

• CVE-2025-9086 identifies a bug in the cookie path handler that can make curl get confused and override a secure cookie with a non-secure one using the same name. If the planets all happen to align correctly.
• CVE-2025-10148 points out a mistake in the WebSocket implementation that makes curl not update the frame mask correctly for each new outgoing frame – as it is supposed to.

Changes

We have a long range of changes this time:

• curl gets a --follow option
• curl gets an --out-null option
• curl gets a --parallel-max-host option to limit concurrent connections per host
• --retry-delay and --retry-max-time accept decimal seconds
• curl gets support for --longopt=value
• curl -w now supports %time{}
• now libcurl caches negative name resolves
• ip happy eyeballing: keep attempts running
• bump minimum mbedtls version required to 3.2.0
• add curl_multi_get_offt() for getting multi related information
• add CURLMOPT_NETWORK_CHANGED to signal network changed to libcurl
• use the NETRC environment variable (first) if set
• bump minimum required mingw-w64 to v3.0 (from v1.0)
• smtp: allow suffix behind a mail address for RFC 3461
• make default TLS version be minimum 1.2
• drop support for msh3
• support CURLOPT_READFUNCTION for WebSocket

Bugfixes

The official bugfix count surpassed 250 this cycle and we have documented them all in the changelog, including links to most issues or pull-requests where they originated.

See the release presentation for a walk-through of some of the perhaps most interesting ones.

This is a patch-release done only a week since the previous version with no changes merged only bugfixes. Because some of the regressions in 8.14.0 were a little too annoying to leave unattended for a full cycle.

Release presentation

Numbers

the 268th release
0 changes
7 days (total: 9,938)
35 bugfixes (total: 12,049)
48 commits (total: 35,238)
0 new public libcurl function (total: 96)
0 new curl_easy_setopt() option (total: 308)
0 new curl command line option (total: 269)
20 contributors, 4 new (total: 3,431)
9 authors, 1 new (total: 1,376)
1 security fix (total: 167)

Security

CVE-2025-5399: WebSocket endless loop. A malicious WebSocket server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. Severity LOW.

Bugfixes

We count about 31 bugfixes, view them all on the 8.14.1 changelog page.

Welcome to another curl release.

Release presentation

Numbers

the 267th release
6 changes
56 days (total: 9,931)
229 bugfixes (total: 12,015)
406 commits (total: 35,190)
0 new public libcurl function (total: 96)
1 new curl_easy_setopt() option (total: 308)
1 new curl command line option (total: 269)
91 contributors, 47 new (total: 3,426)
36 authors, 17 new (total: 1,375)
2 security fixes (total: 166)

Security

• CVE-2025-4947: QUIC certificate check skip with wolfSSL
• CVE-2025-5025: No QUIC certificate pinning with wolfSSL

Changes

• When doing MQTT, curl now sends pings
• The Schannel backend now supports pkcs12 client certificates containing CA certificates
• Added CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs for the OpenSSL backend
• ngtcp2 + OpenSSL’s new QUIC API is now supported. Requires OpenSSL 3.5 or later.
• wcurl comes bundled in the curl tarball
• websocket can now disable auto-pong

Bugfixes

See the changelog on the curl site for the full set, or watch the release presentation for a “best of” collection.

Welcome to another curl release.

Download it here.

Release presentation

Numbers

the 266th release
12 changes
48 days (total: 9,875)
305 bugfixes (total: 11,786)
499 commits (total: 34,782)
0 new public libcurl function (total: 96)
1 new curl_easy_setopt() option (total: 307)
1 new curl command line option (total: 268)
71 contributors, 37 new (total: 3,379)
41 authors, 16 new (total: 1,358)
0 security fixes (total: 164)

Changes

• curl: new write-out variable ‘tls_earlydata’
• curl: –url supports a file with URLs
• curl: add ’64dec’ function for base64 decoding
• IMAP: add CURLOPT_UPLOAD_FLAGS and –upload-flags
• add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
• gnutls: set priority via –ciphers
• OpenSSL/quictls: support TLSv1.3 early data
• wolfSSL: support TLSv1.3 early data
• rustls: add support for CERTINFO
• rustls: add support for SSLKEYLOGFILE
• rustls: support ECH w/ DoH lookup for config
• rustls: support native platform verifier

Records

This release broke the old project record and is the first release ever to contain more than 300 bugfixes since the previous release. There were so many bugfixes landed that I decided to not even list my favorites in this blog post the way I have done in the past. Go read the full changelog, or watch the release video to see me talk about some of them.

Another project record broken in this release is the amount commits merged into the repository since the previous release: 501.

This is a quick follow-up patch release due to the number of ugly regressions in the 8.12.0 release.

Release presentation

Numbers

the 265th release
0 changes
8 days (total: 9,827)
65 bugfixes (total: 11,428)
67 commits (total: 34,180)
0 new public libcurl function (total: 96)
0 new curl_easy_setopt() option (total: 306)
0 new curl command line option (total: 267)
25 contributors, 14 new (total: 3,332)
34 authors, 18 new (total: 1,341)
0 security fixes (total: 164)

Bugfixes

libcurl

• asyn-thread: fix build with CURL_DISABLE_SOCKETPAIR
• asyn-thread: fix the returned bitmask from Curl_resolver_getsock
• asyn-thread: survive a c-ares/HTTPSRR channel set to NULL
• content_encoding: #error on too old zlib
• imap/pop3/smtp: TLS upgrade fixes
• include necessary headers for inet_ntop/inet_pton
• drop support for libssh older than 0.9.0
• netrc: return code cleanup, fix missing file error
• openssl-quic: ignore ciphers for h3
• openssl: fix out of scope variables in goto
• vtls: fix multissl-init
• vtsl: eliminate ‘data->state.ssl_scache’
• wakeup_write: make sure the eventfd write sends eight bytes

tool

• tool_ssls: switch to tool-specific get_line function

scripts

• build: add tool_hugehelp.c into IBMi build
• configure/cmake: check for realpath
• configure/cmake: set asyn-rr a feature only if httpsrr is enabled
• runtests: fix the disabling of the memory tracking
• runtests: quote commands to support paths with spaces

docs

• CURLOPT_SSH_KNOWNHOSTS.md: strongly recommend using this
• CURLSHOPT_SHARE.md: adjust for the new SSL session cache
• SPONSORS.md: clarify that we don’t promise goods or services

Release presentation

Numbers

the 264th release
8 changes
56 days (total: 9,819)
244 bugfixes (total: 11,417)
367 commits (total: 34,180)
2 new public libcurl function (total: 96)
0 new curl_easy_setopt() option (total: 306)
1 new curl command line option (total: 267)
65 contributors, 34 new (total: 3,332)
34 authors, 18 new (total: 1,341)
3 security fixes (total: 164)

Security

CVE-2025-0167: netrc and default credential leak. When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

CVE-2025-0665: eventfd double close. libcurl would wrongly close the same file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0725: gzip integer overflow. When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. There should be virtually no users left using such an old and vulnerable zlib version.

Changes

• curl: add byte range support to –variable reading from file
• curl: make –etag-save acknowledge –create-dirs
• curl: add ‘time_queue’ variable to -w
• getinfo: provide info which auth was used for HTTP and proxy:
• openssl: add support to use keys and certificates from PKCS#11 provider
• QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
• vtls: feature ssls-export for SSL session im-/export
• hyper: dropped support

Bugfixes

Some of the bugfixes to highlight.

libcurl

• acknowledge CURLOPT_DNS_SERVERS set to NULL
• fix CURLOPT_CURLU override logic
• initial HTTPS RR resolve support
• ban use of sscanf()
• conncache: count shutdowns against host and max limits
• support use of custom libzstd memory functions
• cap cookie expire times to 400 days
• parse only the exact cookie expire date
• include the shutdown connections in the set curl_multi_fdset returns
• easy_lock: use Sleep(1) for thread yield on old Windows
• ECH: update APIs to those agreed with OpenSSL maintainers
• fix ‘time_appconnect’ for early data with GnuTLS
• HTTP/2 and HTTP7/3: strip TE request header
• mbedtls: fix handling of blocked sends
• mime: explicitly rewind subparts at attachment time.
• fix mprintf integer handling in float precision
• terminate snprintf output on windows
• fix curl_multi_waitfds reporting of fd_count
• fix return code for an already-removed easy handle from multi handle
• add an ssl_scache to the multi handle
• auto-enable OPENSSL_COEXIST for wolfSSL + OpenSSL builds
• use SSL_poll to determine writeability of OpenSSL QUIC streams
• free certificate on error with Secure Transport
• fix redirect handling to a new fragment or query (only)
• return “IDN” feature set for winidn and appleidn

scripts

• numerous cmake improvements
• scripts/mdlinkcheck: markdown link checker

curl tool

• return error if etag options are used with multiple URLs
• accept digits in –form type= strings
• make –etag-compare accept a non-existing file

docs

• add INFRASTRUCTURE.md describing project infra

Next

The next release is probably going to be curl 8.13.0 and if things go well, it ships on April 2, 2025.

Welcome to another curl release. This time we do a bugfix only release, five weeks since the previous version shipped.

Release Presentation

Numbers

the 263rd release
0 changes
35 days (total: 9,763)
79 bugfixes (total: 11,173)
115 commits (total: 33,811)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)
0 new curl command line option (total: 266)
51 contributors, 32 new (total: 3,299)
22 authors, 10 new (total: 1,323)
1 security fixes (total: 161)

Security

CVE-2024-11053: netrc and redirect credential leak. (Severity: Low) When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

Bugfixes

As usual, here follows some bugfixes I figure could be worth highlighting. See the changelog on the curl site for the full list of changes.

curl

• –continue-at is mutually exclusive with –no-clobber
• –continue-at is mutually exclusive with –range
• –continue-at is mutually exclusive with –remove-on-error
• use real time in trace timestamps

scripts

• dmaketgz: use –no-cache when building docker image

libcurl

• duphandle: also init netrc
• hostip: don’t use the resolver for FQDN localhost
• mime: fix reader stall on small read lengths
• mprintf: fix integer overflow checks
• multi: fix callback for CURLMOPT_TIMERFUNCTION not being called again
• netrc: address several netrc parser flaws
• netrc: support large file, longer lines, longer tokens
• socket: handle binding to “host!”

http related

• http_negotiate: allow for a one byte larger channel binding buffer
• digest: produce a shorter cnonce in Digest headers
• cookie: treat cookie name case sensitively
• nghttp2: use custom memory functions

protocols

• libssh: use libssh sftp_aio to upload file
• libssh: when using IPv6 numerical address, add brackets
• OpenSSL: improved error message on expired certificate
• rtsp: check EOS in the RTSP receive and return an error code
• schannel: remove TLS 1.3 ciphersuite-list support
• fixes for wolfSSL OPENSSL_COEXIST

Numbers

the 262nd release
5 changes
49 days (total: 9,728)
266 bugfixes (total: 11,094)
435 commits (total: 33,694)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)
1 new curl command line option (total: 266)
55 contributors, 22 new (total: 3,268)
25 authors, 10 new (total: 1,312)
1 security fixes (total: 160)

Release presentation

Security

CVE-2024-9681: HSTS subdomain overwrites parent cache entry. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain’s cache entry, making it end sooner or later than otherwise intended.

Changes

• –create-dirs works for –dump-header as well
• P12 format support added to GnuTLS backend
• Added options to disable IPFS
• TLSv1.3 earlydata support (with GnuTLS)
• Official WebSocket support

Bugfixes

These are some of my favorite bugfixes in this release.

Build

• cmake: document -D and env build options
• configure: add support for ‘unity’ builds
• configure: set linker flags to allow rustls build on macos

curl

• detect ECH support dynamically, not at build time
• support –show-headers AND –remote-header-name
• make –skip-existing work for –parallel

libcurl

• conncache: find bundle again in case it is removed
• curl.h: remove the struct pointer for CURL/CURLSH/CURLM typedefs
• ftp: fix 0-length last write on upload from stdin
• hsts: support “implied LWS” properly around max-age
• lib: remove function pointer typecasts for hmac/sha256/md5
• mprintf: do not ignore length modifiers of %o, %x, %X
• mprintf: treat %o as unsigned
• multi: make curl_multi_cleanup invalidate magic latter
• multi: make multi_handle_timeout use the connect timeout
• netrc: cache the netrc file in memory
• select: use poll() if existing, avoid poll() with no sockets
• url: use same credentials on redirect
• urlapi: normalize the IPv6 address

protocols

• ngtcp2: set max window size to 10x of initial (128KB)
• url: connection reuse on h3 connections
• gnutls: use session cache for QUIC
• mbedTLS: fix handling of TLSv1.3 sessions
• schannel: ignore error on recv beyond close notify
• schannel: reclassify extra-verbose schannel_recv messages
• quic: use send/recvmmsg when available
• quic: use the session cache with wolfSSL as well

tests

• generate lib1521.c atomically
• remove all valgrind disable instructions
• remove debug requirement on 38 tests
• use ‘-4’ where needed

Next

Unless we find a terrible regression, the next curl release is scheduled to ship on January 8, 2025.

Welcome to this follow-up patch release, just a week after we shipped 8.10.0. A bunch of bugfixes.

Numbers

the 261th release
0 changes
7 days (total: 9,679)
24 bugfixes (total: 10,828)
50 commits (total: 33,259)
0 new public libcurl function (total: 94)
0 new curl_easy_setopt() option (total: 306)
0 new curl command line option (total: 265)
19 contributors, 7 new (total: 3,246)
9 authors, 1 new (total: 1,303)
0 security fixes (total: 158)

Download the new curl release from curl.se as always.

Release presentation

Bugfixes

These are the perhaps most important ones fixed this time:

• fix configure –with-ca-embed. It could otherwise sometimes lead to an empty bundled CA store.
• cmake: ensure CURL_USE_OPENSSL/USE_OPENSSL_QUIC are set in sync
• cmake: fix MSH3 to appear on the feature list
• runtests: accecpt ‘quictls’ as OpenSSL compatible. It would previously skip a few tests that are marked OpenSSL specific.
• connect: store connection info when really done
• fix FTP CRLF line endings for ASCII transfer regression. Perhaps most notably this problem was seen on directory listings, which are done using ASCII mode.
• fix HTTP/2 end-of-stream handling when uploading data from stdin
• http: make max-filesize check not count ignored bodies. Like in the case where a URL is redirected to a second place, the first URL might still provide a body that curl ignores.
• fix AF_INET6 use outside of USE_IPV6. Made the build fail on systems without IPv6 support.
• check that the multi handle is valid in curl_multi_assign. Perhaps not exactly libcurl’s responsibility, but we found at least one application that did this after the 8.10.0 upgrade.
• on QUIC connects, keep on trying on draining server
• request: correctly reset the eos_sent flag. When doing multiple HTTP/2 uploads using the same handle – this caused problems for git.
• transfer: fix sendrecv() without interim poll. An optimization that optimized a little too much… Most commonly this problem was seen with PHP programs that often (but unwisely) skip the polling.
• rustls: fixed minor logic bug in default cipher selection
• rustls: support strong CSRNG data. Now every curl build using TLS ensures use of strong random numbers.