{"id":28124,"date":"2025-09-10T07:49:32","date_gmt":"2025-09-10T05:49:32","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=28124"},"modified":"2025-09-10T11:08:28","modified_gmt":"2025-09-10T09:08:28","slug":"curl-8-16-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2025\/09\/10\/curl-8-16-0\/","title":{"rendered":"curl 8.16.0"},"content":{"rendered":"\n<p>Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/07\/16\/curl-8-15-0\/\" data-type=\"post\" data-id=\"27656\">8.15.0<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.16.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/n9RRiAOlT-A?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\">the 270th release<br>17 changes<br>56 days (total: 10,036)<br>260 bugfixes (total: 12,538)<br>453 commits (total: 36,025)<br>2 new public libcurl function (total: 98)<br>0 new curl_easy_setopt() option (total: 308)<br>3 new curl command line option (total: 272)<br>76 contributors, 39 new (total: 3,499)<br>32 authors, 17 new (total: 1,410)<br>2 security fixes (total: 169)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>We publish two severity-low vulnerabilities in sync with this release:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> <a href=\"https:\/\/curl.se\/docs\/CVE-2025-9086.html\">CVE-2025-9086<\/a> identifies a bug in the cookie path handler that can make curl get confused and override a secure cookie with a non-secure one using the same name. If the planets all happen to align correctly.<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-10148.html\">CVE-2025-10148<\/a> points out a mistake in the WebSocket implementation that makes curl <em>not<\/em> update the frame mask correctly for each new outgoing frame &#8211; as it is supposed to.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<p>We have a long range of changes this time:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>curl gets a <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/08\/06\/follow-redirects-but-differently\/\" data-type=\"post\" data-id=\"27947\"><code>--follow<\/code> option<\/a><\/li>\n\n\n\n<li>curl gets an <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/07\/30\/output-nothing-with-out-null\/\" data-type=\"post\" data-id=\"27912\"><code>--out-null<\/code> option<\/a><\/li>\n\n\n\n<li>curl gets a <code>--parallel-max-host<\/code> option to limit concurrent connections per host<\/li>\n\n\n\n<li><code>--retry-delay<\/code> and <code>--retry-max-time<\/code> accept decimal seconds<\/li>\n\n\n\n<li>curl gets support for <code><a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/07\/31\/option-parsing-in-curl\/\" data-type=\"post\" data-id=\"27528\">--longopt=value<\/a><\/code><\/li>\n\n\n\n<li>curl <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/08\/07\/curl-tells-the-time\/\" data-type=\"post\" data-id=\"28007\">-w now supports %time{}<\/a><\/li>\n\n\n\n<li>now libcurl caches <em>negative<\/em> name resolves<\/li>\n\n\n\n<li>ip happy eyeballing: <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/08\/04\/even-happier-eyeballs\/\" data-type=\"post\" data-id=\"27953\">keep attempts running<\/a><\/li>\n\n\n\n<li>bump minimum mbedtls version required to 3.2.0<\/li>\n\n\n\n<li>add <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_multi_get_offt.html\">curl_multi_get_offt<\/a>() for getting multi related information<\/li>\n\n\n\n<li>add <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLMOPT_NETWORK_CHANGED.html\">CURLMOPT_NETWORK_CHANGED<\/a> to signal network changed to libcurl<\/li>\n\n\n\n<li>use the <code>NETRC<\/code> environment variable (first) if set<\/li>\n\n\n\n<li>bump minimum required mingw-w64 to v3.0 (from v1.0)<\/li>\n\n\n\n<li>smtp: allow suffix behind a mail address for RFC 3461<\/li>\n\n\n\n<li>make default TLS version be minimum 1.2<\/li>\n\n\n\n<li><a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/07\/29\/carving-out-msh3\/\" data-type=\"post\" data-id=\"27332\">drop support for msh3<\/a><\/li>\n\n\n\n<li>support CURLOPT_READFUNCTION for WebSocket<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>The official bugfix count surpassed 250 this cycle and we have documented them all in <a href=\"https:\/\/curl.se\/ch\/\">the changelog<\/a>, including links to most issues or pull-requests where they originated.<\/p>\n\n\n\n<p>See the release presentation for a walk-through of some of the perhaps most interesting ones.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0. Release presentation Numbers the 270th release17 changes56 days (total: 10,036)260 bugfixes (total: 12,538)453 commits (total: 36,025)2 new public libcurl function (total: 98)0 new curl_easy_setopt() option (total: 308)3 new curl command line option (total: &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2025\/09\/10\/curl-8-16-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.16.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":28154,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-28124","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=28124"}],"version-history":[{"count":19,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28124\/revisions"}],"predecessor-version":[{"id":28185,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28124\/revisions\/28185"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/28154"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=28124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=28124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=28124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}