{"id":30202,"date":"2026-06-26T13:34:00","date_gmt":"2026-06-26T11:34:00","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=30202"},"modified":"2026-06-26T14:02:37","modified_gmt":"2026-06-26T12:02:37","slug":"a-curl-mountain-movie","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2026\/06\/26\/a-curl-mountain-movie\/","title":{"rendered":"A curl mountain movie"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">One of my favorite visuals for known vulnerabilities in curl is <em>the mountain<\/em>. It shows how many currently known vulnerabilities were present in the code through-out curl&#8217;s history.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the end of June 2026 it looks like this:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a3e88b48c68c&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a3e88b48c68c\" class=\"aligncenter size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"2751\" height=\"1547\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on--pointerdown=\"actions.preloadImage\" data-wp-on--pointerenter=\"actions.preloadImageWithDelay\" data-wp-on--pointerleave=\"actions.cancelPreload\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-26-at-11-48-10-curl-Project-status-dashboard.png\" alt=\"\" class=\"wp-image-30327\"\/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\tdata-wp-bind--aria-label=\"state.thisImage.triggerButtonAriaLabel\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.thisImage.buttonRight\"\n\t\t\tdata-wp-style--top=\"state.thisImage.buttonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Over time we get more vulnerabilities reported. Since every flaw has a version range during which the problem existed and with more issues that have overlapping version ranges, the mountain grows. It changes shape every time we do a release or we publish a new vulnerability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At this moment in time, <a href=\"https:\/\/curl.se\/ch\/7.34.0.html\">curl version 7.34.0<\/a> is the release that contains the most number of known vulnerabilities: <a href=\"https:\/\/curl.se\/docs\/vuln-7.34.0.html\">101<\/a>. The worst one ever if you will. Out of a total of 206.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The mountain uses different colors for different severity levels of the published vulnerabilities, as the legend in the top-left of the image explains.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To illustrate the ever-changing nature of the shape and size, I wrote a script that renders <em>the mountain<\/em> the way it looked at specific dates in the past up until today. More specifically, the script renders one image for every month since curl started (March 1998). I then turned these 340 individual images into a little movie that shows how it grew into today&#8217;s shape. At four months\/second.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"The curl vulnerability mountain development timeline\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/aa0TQU0J8yc?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The data for this come from <a href=\"https:\/\/github.com\/curl\/curl-www\/blob\/master\/docs\/vuln.pm\">vuln.pm<\/a> and the <a href=\"https:\/\/github.com\/curl\/curl\">curl git repository<\/a>. The graph rendering is based on the <a href=\"https:\/\/github.com\/curl\/stats\/\">dashboard scripts<\/a>. All images put into a movie with ffmpeg of course.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The 2016 drop<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Several people have asked what happened in 2016 that caused the notable drop. A slope if you will.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If we zoom in on that, we can spot that <a href=\"https:\/\/curl.se\/ch\/7.51.0.html\">curl 7.51.0<\/a> has eleven fewer vulnerabilities than the version before that. This release was the first one after the 2016 <a href=\"https:\/\/daniel.haxx.se\/blog\/2016\/11\/23\/curl-security-audit\/\" data-type=\"post\" data-id=\"9346\">Cure53 code audit<\/a>, but other than that there is no clear distinct process or obvious code changes that explain this trend shift.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lots of other graphs show just the ordinary pace and growth in various project areas. It was still fairly early days CI-wise but had been running at least a few CI jobs per commit for a few years already by then.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">curl was adopted into the OSS-Fuzz project in July 2017, which since then makes us find some issues better, but the drop looks like it happened before then.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We had already been analyzing the code regularly on Coverity since a few years.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Better tooling? New compiler options? We simply don&#8217;t know.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Future<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As we keep announcing more vulnerabilities going forward, things will continue to change. Maybe I will come back and make another movie in five years?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of my favorite visuals for known vulnerabilities in curl is the mountain. It shows how many currently known vulnerabilities were present in the code through-out curl&#8217;s history. In the end of June 2026 it looks like this: Over time we get more vulnerabilities reported. Since every flaw has a version range during which the &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/06\/26\/a-curl-mountain-movie\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">A curl mountain movie<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":25741,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,109],"class_list":["post-30202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-movies"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=30202"}],"version-history":[{"count":22,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30202\/revisions"}],"predecessor-version":[{"id":30348,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30202\/revisions\/30348"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/25741"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=30202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=30202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=30202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}