{"id":28861,"date":"2026-01-07T08:06:55","date_gmt":"2026-01-07T07:06:55","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=28861"},"modified":"2026-01-07T11:01:36","modified_gmt":"2026-01-07T10:01:36","slug":"curl-8-18-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2026\/01\/07\/curl-8-18-0\/","title":{"rendered":"curl 8.18.0"},"content":{"rendered":"\n<p>Download curl from <a href=\"https:\/\/curl.se\/\">curl.se<\/a>!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.18.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/QVxFW6eqG_c?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\">the 272nd release<br>5 changes<br>63 days (total: 10,155)<br>391 bugfixes (total: 13,376)<br>758 commits (total: 37,486)<br>0 new public libcurl function (total: 100)<br>0 new curl_easy_setopt() option (total: 308)<br>0 new curl command line option (total: 273)<br>69 contributors, 36 new (total: 3,571)<br>37 authors, 14 new (total: 1,430)<br>6 security fixes (total: 176)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>This time there is no less than <em>six<\/em> separate vulnerabilities announced.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-13034.html\">CVE-2025-13034<\/a>: skipping pinning check for HTTP\/3 with GnuTLS<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-14017.html\">CVE-2025-14017<\/a>: broken TLS options for threaded LDAPS<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-14524.html\">CVE-2025-14524<\/a>: bearer token leak on cross-protocol redirect<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-14819.html\">CVE-2025-14819<\/a>: OpenSSL partial chain store policy bypass<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-15079.html\">CVE-2025-15079<\/a>: libssh global knownhost override<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2025-15224.html\">CVE-2025-15224<\/a>: libssh key passphrase bypass without agent set<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<p>There are a few this time, mostly around dropping support for various dependencies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>drop support for VS2008 (Windows)<\/li>\n\n\n\n<li>drop Windows CE \/ CeGCC support<\/li>\n\n\n\n<li>drop support for GnuTLS &lt; 3.6.5<\/li>\n\n\n\n<li>gnutls: implement CURLOPT_CAINFO_BLOB<\/li>\n\n\n\n<li>openssl: bump minimum OpenSSL version to 3.0.0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>See the release presentation video for a walk-through of some of the most important\/interesting fixes done for this release, or go check out the full list in <a href=\"https:\/\/curl.se\/ch\/\">the changelog<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Download curl from curl.se! Release presentation Numbers the 272nd release5 changes63 days (total: 10,155)391 bugfixes (total: 13,376)758 commits (total: 37,486)0 new public libcurl function (total: 100)0 new curl_easy_setopt() option (total: 308)0 new curl command line option (total: 273)69 contributors, 36 new (total: 3,571)37 authors, 14 new (total: 1,430)6 security fixes (total: 176) Security This time &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/01\/07\/curl-8-18-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.18.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":28955,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-28861","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=28861"}],"version-history":[{"count":9,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28861\/revisions"}],"predecessor-version":[{"id":28982,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/28861\/revisions\/28982"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/28955"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=28861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=28861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=28861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}