JacobJun 4
daniel:// stenberg://

#curl 8.14.1 is out

https://daniel.haxx.se/blog/2025/06/04/curl-8-14-1/

Thanks to Calvin Ruocco, Dan Fandrich, Daniel Stenberg, denandz on github, Ethan Everett, Jacob Mealey, Jeremy Drake, Jeroen Ooms, John Bampton, Kadambini Nema, Michael Kaufmann, Rasmus Melchior Jacobsen, Ray Satiro, Samuel Henrique, Stefan Eissing, Viktor Szakats, x-xiang on github, Yedaya Katsman, Yuyi Wang, z2_

curl 8.14.1

This is a patch-release done only a week since the previous version with no changes merged only bugfixes. Because some of the regressions in 8.14.0 were a little too annoying to leave unattended for a full cycle. Release presentation At 10:00 CEST (08:00 UTC) I do a release presentation live-streamed on Twitch. Numbers the 268th … Continue reading curl 8.14.1 →

daniel.haxx.se
Jun 4 at 5:49amWeb
Show threaddaniel:// stenberg://Jun 4
The new #curl CVE-2025-5399 is an infinite loop in the WebSocket code: https://curl.se/docs/CVE-2025-5399.html
curl - WebSocket endless loop - CVE-2025-5399

Show threaddaniel:// stenberg://Jun 4

The hackerone report behind this is also disclosed for full transparency.

https://hackerone.com/reports/3168039

curl disclosed on HackerOne: CVE-2025-5399: WebSocket endless loop

The function `curl_ws_send()` in libcurl on commit [12d13b84fa40aa657b83d5458944dbd9b978fb7e](https://github.com/curl/curl/blob/12d13b84fa40aa657b83d5458944dbd9b978fb7e/lib/ws.c) contains an infinite loop that can be triggered by a malicious server under specific circumstances. If an application uses `curl_ws_recv()` and `curl_ws_send()` to communicate with a websocket server, a malicious...

HackerOne
Show threaddaniel:// stenberg://Jun 4

This flaw was deemed "not a C mistake". This problem was introduced independent of language used. A logic mistake.

Now we count 38.9% of all the curl CVEs to be mistakes we could have avoided had we not used C.

Show threadThomas Krog HorneJun 4
@bagder that leads to the question. If you were to start over with curl. Would you use C?
Show threaddaniel:// stenberg://Jun 4
@sundanian C is still waaaay more portable than all alternatives, and the only real alternative rust is still young and fairly immature for system library tasks, so I think so yes.
Show threadJosh BressersJun 6
@bagder This still hasn't made its way into the CVE public data. I assume you submitted it, but I'm asking just in case :)
Show threaddaniel:// stenberg://Jun 6
@joshbressers I'll check
Show threadMark EslerJun 7
@joshbressers if you're a CNA, the cve services api to update CVEs is fairly good and quick to update (NVD, which is downstream of cvelistv5, takes a little longer)
Show threaddaniel:// stenberg://Jun 7
@joshbressers fixed now at least!
Show threadJosh BressersJun 7
@bagder thanks!
Show threadLucas PardueJun 4
@bagder is there another Daniel Stenberg contributor, or are you talking in the third person like Dwayne The Rock Johnson?
Show threaddaniel:// stenberg://Jun 4
@SimmerVigor 🤠
Show threadLucas PardueJun 4
@bagder I smell what you're curling