This is a patch-release done only a week since the previous version with no changes merged only bugfixes. Because some of the regressions in 8.14.0 were a little too annoying to leave unattended for a full cycle.
Release presentation
Numbers
the 268th release 0 changes 7 days (total: 9,938) 35 bugfixes (total: 12,049) 48 commits (total: 35,238) 0 new public libcurl function (total: 96) 0 new curl_easy_setopt() option (total: 308) 0 new curl command line option (total: 269) 20 contributors, 4 new (total: 3,431) 9 authors, 1 new (total: 1,376) 1 security fix (total: 167)
Security
CVE-2025-5399: WebSocket endless loop. A malicious WebSocket server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. Severity LOW.
the 266th release 12 changes 48 days (total: 9,875) 305 bugfixes (total: 11,786) 499 commits (total: 34,782) 0 new public libcurl function (total: 96) 1 new curl_easy_setopt() option (total: 307) 1 new curl command line option (total: 268) 71 contributors, 37 new (total: 3,379) 41 authors, 16 new (total: 1,358) 0 security fixes (total: 164)
Changes
curl: new write-out variable ‘tls_earlydata’
curl: –url supports a file with URLs
curl: add ’64dec’ function for base64 decoding
IMAP: add CURLOPT_UPLOAD_FLAGS and –upload-flags
add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
gnutls: set priority via –ciphers
OpenSSL/quictls: support TLSv1.3 early data
wolfSSL: support TLSv1.3 early data
rustls: add support for CERTINFO
rustls: add support for SSLKEYLOGFILE
rustls: support ECH w/ DoH lookup for config
rustls: support native platform verifier
Records
This release broke the old project record and is the first release ever to contain more than 300 bugfixes since the previous release. There were so many bugfixes landed that I decided to not even list my favorites in this blog post the way I have done in the past. Go read the full changelog, or watch the release video to see me talk about some of them.
Another project record broken in this release is the amount commits merged into the repository since the previous release: 501.
the 264th release 8 changes 56 days (total: 9,819) 244 bugfixes (total: 11,417) 367 commits (total: 34,180) 2 new public libcurl function (total: 96) 0 new curl_easy_setopt() option (total: 306) 1 new curl command line option (total: 267) 65 contributors, 34 new (total: 3,332) 34 authors, 18 new (total: 1,341) 3 security fixes (total: 164)
Security
CVE-2025-0167: netrc and default credential leak. When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.
CVE-2025-0665: eventfd double close. libcurl would wrongly close the same file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
CVE-2025-0725: gzip integer overflow. When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. There should be virtually no users left using such an old and vulnerable zlib version.
Welcome to another curl release. This time we do a bugfix only release, five weeks since the previous version shipped.
Release Presentation
Numbers
the 263rd release 0 changes 35 days (total: 9,763) 79 bugfixes (total: 11,173) 115 commits (total: 33,811) 0 new public libcurl function (total: 94) 0 new curl_easy_setopt() option (total: 306) 0 new curl command line option (total: 266) 51 contributors, 32 new (total: 3,299) 22 authors, 10 new (total: 1,323) 1 security fixes (total: 161)
Security
CVE-2024-11053: netrc and redirect credential leak. (Severity: Low) When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.
Bugfixes
As usual, here follows some bugfixes I figure could be worth highlighting. See the changelog on the curl site for the full list of changes.
curl
–continue-at is mutually exclusive with –no-clobber
–continue-at is mutually exclusive with –range
–continue-at is mutually exclusive with –remove-on-error
use real time in trace timestamps
scripts
dmaketgz: use –no-cache when building docker image
libcurl
duphandle: also init netrc
hostip: don’t use the resolver for FQDN localhost
mime: fix reader stall on small read lengths
mprintf: fix integer overflow checks
multi: fix callback for CURLMOPT_TIMERFUNCTION not being called again
netrc: address several netrc parser flaws
netrc: support large file, longer lines, longer tokens
socket: handle binding to “host!”
http related
http_negotiate: allow for a one byte larger channel binding buffer
digest: produce a shorter cnonce in Digest headers
cookie: treat cookie name case sensitively
nghttp2: use custom memory functions
protocols
libssh: use libssh sftp_aio to upload file
libssh: when using IPv6 numerical address, add brackets
OpenSSL: improved error message on expired certificate
rtsp: check EOS in the RTSP receive and return an error code
Welcome to this follow-up patch release, just a week after we shipped 8.10.0. A bunch of bugfixes.
Numbers
the 261th release 0 changes 7 days (total: 9,679) 24 bugfixes (total: 10,828) 50 commits (total: 33,259) 0 new public libcurl function (total: 94) 0 new curl_easy_setopt() option (total: 306) 0 new curl command line option (total: 265) 19 contributors, 7 new (total: 3,246) 9 authors, 1 new (total: 1,303) 0 security fixes (total: 158)
Download the new curl release from curl.se as always.
Release presentation
Bugfixes
These are the perhaps most important ones fixed this time:
fix configure –with-ca-embed. It could otherwise sometimes lead to an empty bundled CA store.
cmake: ensure CURL_USE_OPENSSL/USE_OPENSSL_QUIC are set in sync
cmake: fix MSH3 to appear on the feature list
runtests: accecpt ‘quictls’ as OpenSSL compatible. It would previously skip a few tests that are marked OpenSSL specific.
connect: store connection info when really done
fix FTP CRLF line endings for ASCII transfer regression. Perhaps most notably this problem was seen on directory listings, which are done using ASCII mode.
fix HTTP/2 end-of-stream handling when uploading data from stdin
http: make max-filesize check not count ignored bodies. Like in the case where a URL is redirected to a second place, the first URL might still provide a body that curl ignores.
fix AF_INET6 use outside of USE_IPV6. Made the build fail on systems without IPv6 support.
check that the multi handle is valid in curl_multi_assign. Perhaps not exactly libcurl’s responsibility, but we found at least one application that did this after the 8.10.0 upgrade.
on QUIC connects, keep on trying on draining server
request: correctly reset the eos_sent flag. When doing multiple HTTP/2 uploads using the same handle – this caused problems for git.
transfer: fix sendrecv() without interim poll. An optimization that optimized a little too much… Most commonly this problem was seen with PHP programs that often (but unwisely) skip the polling.
rustls: fixed minor logic bug in default cipher selection
rustls: support strong CSRNG data. Now every curl build using TLS ensures use of strong random numbers.
trurl is slowing growing up and maturing. This is a minor patch release following up the previous one done just a few weeks ago, fixing a few annoying bugs only.
The query parameter normalization introduced in 0.15 did not properly handle query pairs when one of the sides of the ‘=’ was blank.
Make the generated manpage “source” to use the version number, not the title – which should be plain trurl.
A minuscule escaping mistake in the manual markdown made the output render wrongly.
Only install the manpage for ‘make install’ if there really is a manpage present – since it is generated and bundled in the release tarball it is not necessary present when users build their own
Future
I have this feeling that we still have use cases and combinations that we don’t have tested in the test suite so we probably need to do a few more minor or patch releases until we are ready to bump this baby to 1.0.
the 260th release 18 changes 42 days (total: 9,672) 245 bugfixes (total: 10,804) 461 commits (total: 33,209) 0 new public libcurl function (total: 94) 0 new curl_easy_setopt() option (total: 306) 2 new curl command line option (total: 265) 57 contributors, 28 new (total: 3,239) 27 authors, 14 new (total: 1,302) 1 security fixes (total: 158)
Download the new curl release from curl.se as always.
Release presentation
Security
CVE-2024-8096: OCSP stapling bypass with GnuTLS When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine.
support for setting TLS version and ciphers for Rustls
stop offering ALPN http/1.1 for http2-prior-knowledge
support for sslcert/sslkey blob options for wolfSSL
release tarball 100% reproducible. We also provide verify-release a convenient shell script allowing anyone and everyone to easily verify curl release tarballs.
Bugfixes
See the full changelog for the complete list. Here follows my favorite subset:
build: add poll() detection for cross-builds
cmake: 40+ bugfixes
configure: fail if PSL is not disabled but not found
runtests: remove “has_textaware”
curl: find curlrc in XDG_CONFIG_HOME without leading dot
curl: make the progress bar detect terminal width changes
curl: bump maximum post data size in memory to 16GB
bearssl/mbedtls/rustls/wolfssl: fix setting tls version
gnutls/wolfssl: improve error message when certificate fails
gnutls: send all data
openssl: certinfo errors now fail correctly
sectransp: fix setting tls version
x509asn1: raise size limit for x509 certification information
ftp: always offer line end conversions
ftp: fix pollset for listening
http2: improved upload eos handling
idn: support non-UTF-8 input under AppleIDN
ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
pop3: fix multi-line responses
managen: fix superfluous leading blank line in quoted sections. Nicer HTML version of the manpages.
managen: in man output, remove the leading space from examples
managen: wordwrap long example lines in ASCII output. Nicer curl --manual and -h output.
manpage: ensure a maximum width for the text version.
connect: always prefer ipv6 in IP eyeballing
aws_sigv4: fix canon order for headers with same prefix
cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows
rand: only provide weak random when needed
sigpipe: init the struct so that first apply ignores
