Analysis Report · curl curl-8_19_0 → curl-8_20_0 — CVE-2026-5545 CVE-2026-5773 CVE-2026-6253 CVE-2026-6429 CVE-2026-7168

--- cache/curl_curl-8_19_0/CMake/FindGnuTLS.cmake	2026-04-30 05:55:45.312313425 +0000+++ cache/curl_curl-8_20_0/CMake/FindGnuTLS.cmake	2026-04-30 05:55:46.628407243 +0000@@ -80,10 +80,6 @@ endif()  if(GNUTLS_FOUND)-  if(CMAKE_VERSION VERSION_LESS 3.13)-    link_directories(${_gnutls_LIBRARY_DIRS})-  endif()-   if(NOT TARGET CURL::gnutls)     add_library(CURL::gnutls INTERFACE IMPORTED)     set_target_properties(CURL::gnutls PROPERTIES

Vulnerability Existed: yes
TRUE POSITIVE
CMake link_directories global search path injection CMake/FindGnuTLS.cmake Lines 80-85
Old Code
if(GNUTLS_FOUND)
  if(CMAKE_VERSION VERSION_LESS 3.13)
    link_directories(${_gnutls_LIBRARY_DIRS})
  endif()

  if(NOT TARGET CURL::gnutls)
    add_library(CURL::gnutls INTERFACE IMPORTED)
    set_target_properties(CURL::gnutls PROPERTIES
Fixed Code
if(GNUTLS_FOUND)
  if(NOT TARGET CURL::gnutls)
    add_library(CURL::gnutls INTERFACE IMPORTED)
    set_target_properties(CURL::gnutls PROPERTIES

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/CMake/FindLDAP.cmake	2026-04-30 05:55:45.312313425 +0000+++ cache/curl_curl-8_20_0/CMake/FindLDAP.cmake	2026-04-30 05:55:46.628407243 +0000@@ -103,10 +103,6 @@ endif()  if(LDAP_FOUND)-  if(CMAKE_VERSION VERSION_LESS 3.13)-    link_directories(${_ldap_LIBRARY_DIRS})-  endif()-   if(NOT TARGET CURL::ldap)     add_library(CURL::ldap INTERFACE IMPORTED)     set_target_properties(CURL::ldap PROPERTIES

Vulnerability Existed: yes
TRUE POSITIVE
Insecure use of CMake link_directories / global library search path injection CMake/FindLDAP.cmake Lines 103-109
Old Code
 if(LDAP_FOUND)
   if(CMAKE_VERSION VERSION_LESS 3.13)
     link_directories(${_ldap_LIBRARY_DIRS})
   endif()
   if(NOT TARGET CURL::ldap)
     add_library(CURL::ldap INTERFACE IMPORTED)
     set_target_properties(CURL::ldap PROPERTIES
Fixed Code
 if(LDAP_FOUND)
   if(NOT TARGET CURL::ldap)
     add_library(CURL::ldap INTERFACE IMPORTED)
     set_target_properties(CURL::ldap PROPERTIES

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/CMake/FindLibpsl.cmake	2026-04-30 05:55:45.316313711 +0000+++ cache/curl_curl-8_20_0/CMake/FindLibpsl.cmake	2026-04-30 05:55:46.628407243 +0000@@ -80,10 +80,6 @@ endif()  if(LIBPSL_FOUND)-  if(CMAKE_VERSION VERSION_LESS 3.13)-    link_directories(${_libpsl_LIBRARY_DIRS})-  endif()-   if(NOT TARGET CURL::libpsl)     add_library(CURL::libpsl INTERFACE IMPORTED)     set_target_properties(CURL::libpsl PROPERTIES

Vulnerability Existed: yes
FALSE POSITIVE
Use of link_directories causing global library search path pollution [CMake/FindLibpsl.cmake] [80-86]
Old Code:
if(LIBPSL_FOUND)
  if(CMAKE_VERSION VERSION_LESS 3.13)
    link_directories(${_libpsl_LIBRARY_DIRS})
  endif()
  if(NOT TARGET CURL::libpsl)
    add_library(CURL::libpsl INTERFACE IMPORTED)
    set_target_properties(CURL::libpsl PROPERTIES
Fixed Code:
if(LIBPSL_FOUND)
  if(NOT TARGET CURL::libpsl)
    add_library(CURL::libpsl INTERFACE IMPORTED)
    set_target_properties(CURL::libpsl PROPERTIES

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/CMake/FindRustls.cmake	2026-04-30 05:55:45.316313711 +0000+++ cache/curl_curl-8_20_0/CMake/FindRustls.cmake	2026-04-30 05:55:46.632407528 +0000@@ -104,10 +104,6 @@     mark_as_advanced(MATH_LIBRARY)   endif() -  if(CMAKE_VERSION VERSION_LESS 3.13)-    link_directories(${_rustls_LIBRARY_DIRS})-  endif()-   if(NOT TARGET CURL::rustls)     add_library(CURL::rustls INTERFACE IMPORTED)     set_target_properties(CURL::rustls PROPERTIES

Vulnerability Existed: yes
TRUE POSITIVE
Insecure library search path via link_directories CMake/FindRustls.cmake 104-109
Old Code
  if(CMAKE_VERSION VERSION_LESS 3.13)
    link_directories(${_rustls_LIBRARY_DIRS})
  endif()
Fixed Code
  if(NOT TARGET CURL::rustls)
    add_library(CURL::rustls INTERFACE IMPORTED)
    set_target_properties(CURL::rustls PROPERTIES

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/appveyor.sh	2026-04-30 05:55:45.324314281 +0000+++ cache/curl_curl-8_20_0/appveyor.sh	2026-04-30 05:55:46.636407813 +0000@@ -40,7 +40,7 @@   esac    if [ "${APPVEYOR_BUILD_WORKER_IMAGE}" = 'Visual Studio 2022' ]; then-    openssl_root_win="C:/OpenSSL-v35${openssl_suffix}"+    openssl_root_win="C:/OpenSSL-v36${openssl_suffix}"     openssl_root="$(cygpath "${openssl_root_win}")"   elif [ "${APPVEYOR_BUILD_WORKER_IMAGE}" = 'Visual Studio 2019' ]; then     openssl_root_win="C:/OpenSSL-v30${openssl_suffix}"@@ -70,28 +70,17 @@     [ "${_chkprefill}" = '_chkprefill' ] && options+=' -D_CURL_PREFILL=OFF'     [[ "${CMAKE_GENERATE:-}" = *'-A ARM64'* ]] && SKIP_RUN='ARM64 architecture'     [[ "${CMAKE_GENERATE:-}" = *'-DCURL_USE_OPENSSL=ON'* ]] && options+=" -DOPENSSL_ROOT_DIR=${openssl_root_win}"-    if [ "${APPVEYOR_BUILD_WORKER_IMAGE}" = 'Visual Studio 2013' ]; then-      mkdir "_bld${_chkprefill}"-      cd "_bld${_chkprefill}"-      options+=' ..'-      root='..'-    else-      options+=" -B _bld${_chkprefill}"-      options+=' -DCMAKE_VS_GLOBALS=TrackFileAccess=false'-      options+=' -DCMAKE_UNITY_BUILD=ON'-      root='.'-    fi-    # CMAKE_GENERATOR env requires CMake 3.15+, pass it manually to make it work with older versions.     # shellcheck disable=SC2086-    time cmake -G "${CMAKE_GENERATOR}" \-      -DENABLE_DEBUG=ON -DCURL_WERROR=ON \+    time cmake -B "_bld${_chkprefill}" \+      -DENABLE_DEBUG=ON \+      -DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON \+      -DCMAKE_VS_GLOBALS=TrackFileAccess=false \       -DCURL_STATIC_CRT=ON \       -DCURL_DROP_UNUSED=ON \       -DCURL_USE_SCHANNEL=ON -DCURL_USE_LIBPSL=OFF \-      ${options} \       ${CMAKE_GENERATE:-} \-      || { cat "${root}"/_bld/CMakeFiles/CMake* 2>/dev/null; false; }-    [ "${APPVEYOR_BUILD_WORKER_IMAGE}" = 'Visual Studio 2013' ] && cd ..+      ${options} \+      || { cat _bld/CMakeFiles/CMake* 2>/dev/null; false; }   done   if [ -d _bld_chkprefill ] && ! diff -u _bld/lib/curl_config.h _bld_chkprefill/lib/curl_config.h; then     cat _bld_chkprefill/CMakeFiles/CMake* 2>/dev/null || true

Vulnerability Existed: yes
TRUE POSITIVE
Use of Outdated OpenSSL Version appveyor.sh Lines 40
Old Code
openssl_root_win="C:/OpenSSL-v35${openssl_suffix}"
Fixed Code
openssl_root_win="C:/OpenSSL-v36${openssl_suffix}"

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/HSTS.md	2026-04-30 05:55:45.328314566 +0000+++ cache/curl_curl-8_20_0/docs/HSTS.md	2026-04-30 05:55:46.644408384 +0000@@ -19,6 +19,9 @@ HTTP-only requests to a hostname present in the cache gets internally "redirected" to the HTTPS version. +Since curl 8.20.0, libcurl keeps no more than the most recently added 10,000+unique HSTS hostnames.+ ## `curl_easy_setopt()` options:  - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle

Vulnerability Existed: not sure
FALSE POSITIVE
Potential HSTS cache memory exhaustion / DoS due to unbounded HSTS hostname cache docs/HSTS.md 19-22
Old Code
HTTP-only requests to a hostname present in the cache gets internally
"redirected" to the HTTPS version.

## `curl_easy_setopt()` options:

- `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle
Fixed Code
HTTP-only requests to a hostname present in the cache gets internally
"redirected" to the HTTPS version.

Since curl 8.20.0, libcurl keeps no more than the most recently added 10,000
unique HSTS hostnames.

## `curl_easy_setopt()` options:

- `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/KNOWN_BUGS.md	2026-04-30 05:55:45.332314851 +0000+++ cache/curl_curl-8_20_0/docs/KNOWN_BUGS.md	2026-04-30 05:55:46.648408669 +0000@@ -53,6 +53,13 @@  [curl issue 15801](https://github.com/curl/curl/issues/15801) +## Native CA roots incomplete on Windows with OpenSSL (or fork)++Certain Windows installations may be missing CA roots.++[curl issue 20897](https://github.com/curl/curl/issues/20897)+[curl issue 12303](https://github.com/curl/curl/issues/12303)+ # Email protocols  ## IMAP `SEARCH ALL` truncated response@@ -106,6 +113,21 @@  See [curl issue 12171](https://github.com/curl/curl/issues/12171) +## Windows stdin relay accepts unauthenticated local connections++curl features a Windows-only stdin relay in `src/tool_doswin.c` that creates a+loopback TCP listener and spawns a thread to accept the first incoming+connection, then forwards stdin to it. There is no authentication or peer+validation on the accepted socket. A local attacker can race to connect to the+ephemeral loopback port (discoverable via local port enumeration/scan) before+curl connects, causing the thread to send stdin/upload data to the attacker or+to disrupt the transfer.++The function should verify the client-side with a random number similar to the+socketpair emulation function in libcurl. It cannot verify the source address+and port since there is this widespread habit on Windows to run tools that+MITM even local TCP connections for security.+ # Build and portability issues  ## OS400 port requires deprecated IBM library

Vulnerability Existed: yes
FALSE POSITIVE
Native CA roots incomplete on Windows with OpenSSL (or fork) docs/KNOWN_BUGS.md lines 53-60
Old Code
[curl issue 15801](https://github.com/curl/curl/issues/15801)

# Email protocols
Fixed Code
[curl issue 15801](https://github.com/curl/curl/issues/15801)

## Native CA roots incomplete on Windows with OpenSSL (or fork)

Certain Windows installations may be missing CA roots.

[curl issue 20897](https://github.com/curl/curl/issues/20897)
[curl issue 12303](https://github.com/curl/curl/issues/12303)

# Email protocols

Vulnerability Existed: yes
TRUE POSITIVE
Windows stdin relay accepts unauthenticated local connections docs/KNOWN_BUGS.md lines 106-123
Old Code
See [curl issue 12171](https://github.com/curl/curl/issues/12171)

# Build and portability issues

## OS400 port requires deprecated IBM library
Fixed Code
See [curl issue 12171](https://github.com/curl/curl/issues/12171)

## Windows stdin relay accepts unauthenticated local connections

curl features a Windows-only stdin relay in `src/tool_doswin.c` that creates a
loopback TCP listener and spawns a thread to accept the first incoming
connection, then forwards stdin to it. There is no authentication or peer
validation on the accepted socket. A local attacker can race to connect to the
ephemeral loopback port (discoverable via local port enumeration/scan) before
curl connects, causing the thread to send stdin/upload data to the attacker or
to disrupt the transfer.

The function should verify the client-side with a random number similar to the
socketpair emulation function in libcurl. It cannot verify the source address
and port since there is this widespread habit on Windows to run tools that
MITM even local TCP connections for security.

# Build and portability issues

## OS400 port requires deprecated IBM library

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/KNOWN_RISKS.md	2026-04-30 05:55:45.332314851 +0000+++ cache/curl_curl-8_20_0/docs/KNOWN_RISKS.md	2026-04-30 05:55:46.648408669 +0000@@ -144,3 +144,6 @@ When asking curl or libcurl to automatically decompress data on arrival, there is a risk that the size of the output from the decompression process ends up many times larger than the input data size.++Since curl 8.20.0, users can mitigate this risk by setting the max filesize+option that also covers the decompressed size.

Vulnerability Existed: yes
TRUE POSITIVE
Decompression Bomb Risk docs/KNOWN_RISKS.md 144-149
Old Code
When asking curl or libcurl to automatically decompress data on arrival, there
is a risk that the size of the output from the decompression process ends up
many times larger than the input data size.
Fixed Code
When asking curl or libcurl to automatically decompress data on arrival, there
is a risk that the size of the output from the decompression process ends up
many times larger than the input data size.

Since curl 8.20.0, users can mitigate this risk by setting the max filesize
option that also covers the decompressed size.

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/examples/ftp-delete.c	2026-04-30 05:55:45.356316562 +0000+++ cache/curl_curl-8_20_0/docs/examples/ftp-delete.c	2026-04-30 05:55:46.676410665 +0000@@ -29,7 +29,7 @@  #include <curl/curl.h> -static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)+static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream) {   (void)buffer;   (void)stream;

Vulnerability Existed: yes
FALSE POSITIVE
Callback Signature Mismatch docs/examples/ftp-delete.c lines 29
Old Code:
static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)
Fixed Code:
static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream)

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/examples/ftpget.c	2026-04-30 05:55:45.356316562 +0000+++ cache/curl_curl-8_20_0/docs/examples/ftpget.c	2026-04-30 05:55:46.676410665 +0000@@ -40,7 +40,7 @@   FILE *stream; }; -static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)+static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream) {   struct FtpFile *out = (struct FtpFile *)stream;   if(!out->stream) {

Vulnerability Existed: yes
FALSE POSITIVE
Callback Signature Mismatch docs/examples/ftpget.c 40
Old Code
static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)
Fixed Code
static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream)

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/examples/ftpuploadresume.c	2026-04-30 05:55:45.356316562 +0000+++ cache/curl_curl-8_20_0/docs/examples/ftpuploadresume.c	2026-04-30 05:55:46.676410665 +0000@@ -51,7 +51,7 @@ }  /* discard downloaded data */-static size_t write_cb(void *ptr, size_t size, size_t nmemb, void *stream)+static size_t write_cb(char *ptr, size_t size, size_t nmemb, void *stream) {   (void)ptr;   (void)stream;

Vulnerability Existed: yes
FALSE POSITIVE
Callback signature mismatch docs/examples/ftpuploadresume.c Lines 51
static size_t write_cb(void *ptr, size_t size, size_t nmemb, void *stream)
static size_t write_cb(char *ptr, size_t size, size_t nmemb, void *stream)

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/examples/sftpget.c	2026-04-30 05:55:45.364317133 +0000+++ cache/curl_curl-8_20_0/docs/examples/sftpget.c	2026-04-30 05:55:46.684411236 +0000@@ -50,7 +50,7 @@   FILE *stream; }; -static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)+static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream) {   struct FtpFile *out = (struct FtpFile *)stream;   if(!out->stream) {

Vulnerability Existed: yes
TRUE POSITIVE
Function pointer signature mismatch / Undefined behavior [docs/examples/sftpget.c] [~50]
Old Code
static size_t write_cb(void *buffer, size_t size, size_t nmemb, void *stream)
Fixed Code
static size_t write_cb(char *buffer, size_t size, size_t nmemb, void *stream)

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/examples/usercertinmem.c	2026-04-30 05:55:45.364317133 +0000+++ cache/curl_curl-8_20_0/docs/examples/usercertinmem.c	2026-04-30 05:55:46.688411521 +0000@@ -40,11 +40,7 @@  #include <curl/curl.h> -#if defined(__GNUC__) || defined(__clang__)-#pragma GCC diagnostic ignored "-Woverlength-strings"-#endif--static size_t write_cb(void *ptr, size_t size, size_t nmemb, void *stream)+static size_t write_cb(char *ptr, size_t size, size_t nmemb, void *stream) {   fwrite(ptr, size, nmemb, (FILE *)stream);   return nmemb * size;

Vulnerability Existed: yes
FALSE POSITIVE
Callback signature mismatch / undefined behavior docs/examples/usercertinmem.c [40-47]
Old Code
#if defined(__GNUC__) || defined(__clang__)
#pragma GCC diagnostic ignored "-Woverlength-strings"
#endif

static size_t write_cb(void *ptr, size_t size, size_t nmemb, void *stream)
{
  fwrite(ptr, size, nmemb, (FILE *)stream);
  return nmemb * size;
}
Fixed Code
static size_t write_cb(char *ptr, size_t size, size_t nmemb, void *stream)
{
  fwrite(ptr, size, nmemb, (FILE *)stream);
  return nmemb * size;
}

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_ABSTRACT_UNIX_SOCKET.md	2026-04-30 05:55:45.388318844 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_ABSTRACT_UNIX_SOCKET.md	2026-04-30 05:55:46.708412947 +0000@@ -54,11 +54,13 @@ {   CURL *curl = curl_easy_init();   if(curl) {+    CURLcode result;     curl_easy_setopt(curl, CURLOPT_ABSTRACT_UNIX_SOCKET, "/tmp/foo.sock");     curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/");      /* Perform the request */-    curl_easy_perform(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);   } } ~~~

Vulnerability Existed: yes
TRUE POSITIVE
Resource Leak docs/libcurl/opts/CURLOPT_ABSTRACT_UNIX_SOCKET.md lines 54-64
Old Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    curl_easy_setopt(curl, CURLOPT_ABSTRACT_UNIX_SOCKET, "/tmp/foo.sock");
    curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/");
 
    /* Perform the request */
    curl_easy_perform(curl);
  }
}
Fixed Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode result;
    curl_easy_setopt(curl, CURLOPT_ABSTRACT_UNIX_SOCKET, "/tmp/foo.sock");
    curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/");
 
    /* Perform the request */
    result = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
}

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_AWS_SIGV4.md	2026-04-30 05:55:45.388318844 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_AWS_SIGV4.md	2026-04-30 05:55:46.708412947 +0000@@ -88,6 +88,7 @@   CURL *curl = curl_easy_init();    if(curl) {+    CURLcode result;     curl_easy_setopt(curl, CURLOPT_URL,                     "https://service.region.example.com/uri");     curl_easy_setopt(curl, CURLOPT_AWS_SIGV4, "provider1:provider2");@@ -98,7 +99,8 @@                      "provider1:provider2:region:service");      curl_easy_setopt(curl, CURLOPT_USERPWD, "MY_ACCESS_KEY:MY_SECRET_KEY");-    curl_easy_perform(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);   } } ~~~

Vulnerability Existed: yes
TRUE POSITIVE
Resource Leak docs/libcurl/opts/CURLOPT_AWS_SIGV4.md Lines 88-99
Old Code:
  CURL *curl = curl_easy_init();

  if(curl) {
      curl_easy_setopt(curl, CURLOPT_URL,
                      "https://service.region.example.com/uri");
      curl_easy_setopt(curl, CURLOPT_AWS_SIGV4, "provider1:provider2");
      curl_easy_setopt(curl, CURLOPT_AWS_SIGV4,
                      "provider1:provider2:region:service");

      curl_easy_setopt(curl, CURLOPT_USERPWD, "MY_ACCESS_KEY:MY_SECRET_KEY");
      curl_easy_perform(curl);
  }
Fixed Code:
  CURL *curl = curl_easy_init();

  if(curl) {
      CURLcode result;
      curl_easy_setopt(curl, CURLOPT_URL,
                      "https://service.region.example.com/uri");
      curl_easy_setopt(curl, CURLOPT_AWS_SIGV4, "provider1:provider2");
      curl_easy_setopt(curl, CURLOPT_AWS_SIGV4,
                      "provider1:provider2:region:service");

      curl_easy_setopt(curl, CURLOPT_USERPWD, "MY_ACCESS_KEY:MY_SECRET_KEY");
      result = curl_easy_perform(curl);
      curl_easy_cleanup(curl);
  }

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_CLOSESOCKETDATA.md	2026-04-30 05:55:45.388318844 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_CLOSESOCKETDATA.md	2026-04-30 05:55:46.712413232 +0000@@ -62,13 +62,15 @@ {   struct priv myown;   CURL *curl = curl_easy_init();+  if(curl) {+    CURLcode result;+    /* call this function to close sockets */+    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);+    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown); -  /* call this function to close sockets */-  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);-  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);--  curl_easy_perform(curl);-  curl_easy_cleanup(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);+  } } ~~~ 

Vulnerability Existed: yes
TRUE POSITIVE
NULL pointer dereference [docs/libcurl/opts/CURLOPT_CLOSESOCKETDATA.md] [around lines 62-72]
Old Code:
{
  struct priv myown;
  CURL *curl = curl_easy_init();
  /* call this function to close sockets */
  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);
  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);

  curl_easy_perform(curl);
  curl_easy_cleanup(curl);
}
Fixed Code:
{
  struct priv myown;
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode result;
    /* call this function to close sockets */
    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);
    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);

    result = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
}

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_CLOSESOCKETFUNCTION.md	2026-04-30 05:55:45.388318844 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_CLOSESOCKETFUNCTION.md	2026-04-30 05:55:46.712413232 +0000@@ -73,13 +73,15 @@ {   struct priv myown;   CURL *curl = curl_easy_init();+  if(curl) {+    CURLcode result;+    /* call this function to close sockets */+    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);+    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown); -  /* call this function to close sockets */-  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);-  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);--  curl_easy_perform(curl);-  curl_easy_cleanup(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);+  } } ~~~ 

Vulnerability Existed: yes
TRUE POSITIVE
Null Pointer Dereference docs/libcurl/opts/CURLOPT_CLOSESOCKETFUNCTION.md lines 73-84
Old Code
{
  struct priv myown;
  CURL *curl = curl_easy_init();
  /* call this function to close sockets */
  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);
  curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);

  curl_easy_perform(curl);
  curl_easy_cleanup(curl);
}
Fixed Code
{
  struct priv myown;
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode result;
    /* call this function to close sockets */
    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closesocket);
    curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &myown);

    result = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
}

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_COOKIEFILE.md	2026-04-30 05:55:45.392319129 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_COOKIEFILE.md	2026-04-30 05:55:46.712413232 +0000@@ -58,6 +58,8 @@ The cookies are loaded from the specified file(s) when the transfer starts, not when this option is set. +libcurl ignores filenames which do not exist or point to a directory.+ # SECURITY CONCERNS  This document previously mentioned how specifying a non-existing file can also

Vulnerability Existed: yes
FALSE POSITIVE
Improper Cookie File Path Handling docs/libcurl/opts/CURLOPT_COOKIEFILE.md Lines 58-60
Old Code:
 The cookies are loaded from the specified file(s) when the transfer starts,
 not when this option is set.
Fixed Code:
 The cookies are loaded from the specified file(s) when the transfer starts,
 not when this option is set.
 libcurl ignores filenames which do not exist or point to a directory.

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_DEFAULT_PROTOCOL.md	2026-04-30 05:55:45.392319129 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_DEFAULT_PROTOCOL.md	2026-04-30 05:55:46.712413232 +0000@@ -68,6 +68,7 @@ {   CURL *curl = curl_easy_init();   if(curl) {+    CURLcode result;     /* set a URL without a scheme */     curl_easy_setopt(curl, CURLOPT_URL, "example.com"); @@ -75,7 +76,8 @@     curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "https");      /* Perform the request */-    curl_easy_perform(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);   } } ~~~

Vulnerability Existed: yes
TRUE POSITIVE
Resource Leak / Missing Cleanup docs/libcurl/opts/CURLOPT_DEFAULT_PROTOCOL.md lines 68-76
Old Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    /* set a URL without a scheme */
    curl_easy_setopt(curl, CURLOPT_URL, "example.com");
    curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "https");
    /* Perform the request */
    curl_easy_perform(curl);
  }
}
Fixed Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode result;
    /* set a URL without a scheme */
    curl_easy_setopt(curl, CURLOPT_URL, "example.com");
    curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "https");
    /* Perform the request */
    result = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
}

Failed to fetch CVE description: HTTP 400

--- cache/curl_curl-8_19_0/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.md	2026-04-30 05:55:45.392319129 +0000+++ cache/curl_curl-8_20_0/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.md	2026-04-30 05:55:46.712413232 +0000@@ -69,6 +69,7 @@ {   CURL *curl = curl_easy_init();   if(curl) {+    CURLcode result;     curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");      curl_easy_setopt(curl, CURLOPT_DOH_URL,@@ -77,7 +78,8 @@     /* Disable hostname verification of the DoH server */     curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYHOST, 0L); -    curl_easy_perform(curl);+    result = curl_easy_perform(curl);+    curl_easy_cleanup(curl);   } } ~~~

Vulnerability Existed: yes
FALSE POSITIVE
Resource Leak / Missing Cleanup docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.md lines 69-78
Old Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
    curl_easy_setopt(curl, CURLOPT_DOH_URL,
    curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYHOST, 0L);
    curl_easy_perform(curl);
  }
}
Fixed Code
{
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode result;
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
    curl_easy_setopt(curl, CURLOPT_DOH_URL,
    curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYHOST, 0L);
    result = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
}

Failed to fetch CVE description: HTTP 400