I believe a good product needs clear and thorough documentation. I think shipping a quality product requires you to provide detailed and informative release notes. I try to live up to this in the curl project, and this is how we do it. Scripts are your friends Some of the scripts I use to maintain … Continue reading How I maintain release notes for curl→| daniel.haxx.se
As the Cyber Resilience Act (CRA) is getting closer and companies wanting to sell digital services in goods within the EU need to step up, tighten their procedures, improve their documentation and get control over their dependencies I feel it could be timely to remind everyone: We of course offer full support and fully CRA … Continue reading CRA compliant curl→| daniel.haxx.se
We are dropping support for this feature in curl 8.17.0. Kerberos5 FTP to be exact. The last Kerberos support we had for FTP. Badness On September 16, 2025 we received a security report that accurately identified a possible stack based buffer overflow in the Kerberos FTP code that could allow a malicious FTP server cause … Continue reading Bye bye Kerberos FTP →| daniel.haxx.se
tldr: Apple thinks it is fine. I do not. On December 28 2023, bugreport 12604 was filed in the curl issue tracker. We get a lot issues filed most days so this fact alone was hardly anything out of the ordinary. We read the reports, investigate, ask follow-up questions to see what we can learn … Continue reading the Apple curl security incident 12604 →| daniel.haxx.se
Every curl security report starts out with someone submitting an issue to us on https://hackerone.com/curl. The reporter tells us what they suspect and what they think the problem is. This report is kept private, visible only to the curl security team and the reporter while we work on it. In recent months we have gotten … Continue reading From suspicion to published curl CVE →| daniel.haxx.se
Developers Day is a recent annual Swedish gala organized by the Stockholm-based company Developers Bay. This is its third year running. They have an ambition to highlight and celebrate Swedish software developers (or perhaps it is developers based in Sweden?) and hand out a series of awards for that purpose. A jury that consists of … Continue reading Developer of the year→| daniel.haxx.se
Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0. Release presentation Numbers the 270th release17 changes56 days (total: 10,036)260 bugfixes (total: 12,538)453 commits (total: 36,025)2 new public libcurl function (total: 98)0 new curl_easy_setopt() option (total: 308)3 new curl command line option (total: … Continue reading curl 8.16.0→| daniel.haxx.se
One of these mantras I keep repeating is how we in the curl project keep improving, keep polishing and keep tightening every bolt there is. No one can do everything right from day one, but given time and will we can over time get a lot of things lined up in neat and tidy lines. … Continue reading preparing for the worst→| daniel.haxx.se
This was the title of my keynote at the Open Source Summit Europe 2025 conference in Amsterdam that I delivered on August 25, 2025. The giants, as in fact large parts of modern infrastructure, stand on the shoulders of Open Source projects and their maintainers. But maybe these projects and people are not treated in … Continue reading giants, standing on the shoulders of →| daniel.haxx.se
Speaking the TCP protocol, we communicate between "ports" in the local and remote ends. Each of these port fields are 16 bits in the protocol header so they can hold values between 0 - 65535. (IPv4 or IPv6 are the same here.) We usually do HTTP on port 80 and we do HTTPS on port … Continue reading Pretending port zero is a normal one →| daniel.haxx.se
curl added support for OpenSSL immediately when it was first released, as they switched away from SSLeay, in the late 1990s. We have since supported it over the decades as both OpenSSL and curl have developed. A while back the OpenSSL project stopped updating their 1.0.x and 1.1.x public branches. This means that unless you … Continue reading Dropping old OpenSSL→| daniel.haxx.se
In August 16 2025 I did a keynote with this title on the FrOSCon conference in Bonn, Germany. The room held a few hundred seats and every single one was occupied with people also filling up the stairs and was standing along the walls. Awesome! https://www.youtube.com/watch?v=6n2eDcRjSsk See also my death by slop post for more … Continue reading AI slop attacks on the curl project →| daniel.haxx.se
Downloading data from a remote URL is probably the single most common operation people do with curl. Often, users then add various additional options to the command line to extract information from that transfer but may also decide that the actually fetched data is not interesting. Sometimes they don't get the accurate meta-data if the … Continue reading Output nothing with –out-null →| daniel.haxx.se
Welcome to another curl release. A shorter cycle this time so we did not have time to merge many changes: there is just one logged. See below. This is the 269th release featuring 269 command line options. Release presentation https://www.youtube.com/watch?v=O-JKlkXVURg Numbers the 269th release1 change42 days (total: 9,980)233 bugfixes (total: 12,282)334 commits (total: 35,572)0 new … Continue reading curl 8.15.0 →| daniel.haxx.se
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter … Continue reading Death by a thousand slops →| daniel.haxx.se
A while ago I received an email with this question. I've been subscribed to your weekly newsletter for a while now, receiving your weekly updates every Friday. I'm writing because I admire your consistency, focus, and perseverance. I can't help but wonder, with admiration, how you manage to do it. Since this is a topic … Continue reading How I do it →| daniel.haxx.se
I need to get myself a new laptop. My existing one is from 2017 and was already then not the most powerful one. It recently started to shut itself off when running on battery and during the two most recent curl up meetings it has proven itself to be rather sluggish and unable to save … Continue reading Sponsor my laptop! →| daniel.haxx.se
I'm pleased to announce that once again I have collected the results, generated the graphs and pondered over conclusions to make after the annual curl user survey. Get the curl user survey 2025 analysis here Take-aways I don't think I spoil it too much if I say that there aren't too many drastic news in … Continue reading curl user survey 2025 analysis →| daniel.haxx.se
Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA. As such, I ensure that all NASA acquisitions of Covered Articles comply with … Continue reading curl supports NASA →| daniel.haxx.se
With the new EU legislation Cyber Resiliency Act (CRA), there are new responsibilities and requirements put on manufacturers of digital products and services in Europe. Going forward these manufacturers must be able to know and report the exact contents of their software, called a Software Bill of Material (SBOM) and they have requirements to check … Continue reading Cybersecurity Risk Assessment Request →| daniel.haxx.se
curl supports getting built with eleven different TLS libraries. Six of these libraries are OpenSSL or forks of OpenSSL. Allow me to give you a glimpse of their differences, similarities and some insights into what it takes to support them all. SSLeay It all started with SSLeay. This was the first SSL library I found … Continue reading A family of forks →| daniel.haxx.se
Yes! curl user survey 2025 The time has come for you to once again do your curl community duty. Run over and fill in the curl user survey and tell us about how you use curl etc. This is the only proper way we get user feedback on a wide scale so please use this … Continue reading The curl user survey 2025 is up →| daniel.haxx.se
On the completely impossible situation of blocking the Tor .onion TLD to avoid leaks, but at the same time not block it to make users able to do what they want. dot-onion leaks The onion TLD is a Tor specific domain that does not mean much to the world outside of Tor. If you try … Continue reading Leeks and leaks →| daniel.haxx.se
In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts. In a later presentation, he could show us how not a single human reviewer in the team nor any CI job had spotted or remarked on one of … Continue reading Detecting malicious Unicode →| daniel.haxx.se
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines. As I think you can see for yourself below they are also neither strange nor … Continue reading Writing C for curl →| daniel.haxx.se
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →| daniel.haxx.se
tldr: work has started to make Hyper work as a backend in curl for HTTP. curl and its data transfer core, libcurl, is all written in C. The language C is known and infamous for not being memory safe and for being easy to mess up and as a result accidentally cause security problems. At … Continue reading rust in curl with hyper →| daniel.haxx.se
It has been eighteen years of libcurl ABI stability.| daniel.haxx.se
Time for another checkup. Where are we right now with HTTP/3 support in curl for users? I think curl's situation is symptomatic for a lot of other HTTP tools and libraries. HTTP/3 has been and continues to be a much tougher deployment journey than HTTP/2 was. curl supports four alternative HTTP/3 solutions You can enable … Continue reading HTTP/3 in curl mid 2024 →| daniel.haxx.se
Numbers the 257th release8 changes56 days (total: 9,560)220 bug-fixes (total: 10,271)348 commits (total: 32,280)1 new public libcurl function (total: 94)1 new curl_easy_setopt() option (total: 305)1 new curl command line option (total: 259)84 contributors, 41 new (total: 3,173)49 authors, 20 new (total: 1,272)0 security fixes (total: 155) Download the new curl release from curl.se as always. … Continue reading curl 8.8.0 →| daniel.haxx.se
On Friday May 3, 2024 I had several of my curl friends over for dinner in my house. An unusually warm and sunny spring day with a temperature reaching twenty degrees centigrade. The curl up 2024 weekend started excellently and the following morning we all squeezed ourselves into a conference room in downtown Stockholm. I … Continue reading I survived curl up 2024 →| daniel.haxx.se
I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can't hold back anymore. Let me show you the most significant effect of AI on curl as of today - with examples. Bug Bounty Having a bug bounty means that we offer … Continue reading The I in LLM stands for intelligence →| daniel.haxx.se
Section 9.1.1 in RFC7540 explains how HTTP/2 clients can reuse connections. This is my lengthy way of explaining how this works in reality. Many connections in HTTP/1 With HTTP/1.1, browsers are typically using 6 connections per origin (host name + port). They do this to overcome the problems in HTTP/1 and how it uses TCP … Continue reading HTTP/2 connection coalescing →| daniel.haxx.se
In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it to severity HIGH. While the advisory contains all the necessary details. I figured I would use a few additional … Continue reading How I made a heap overflow in curl →| daniel.haxx.se
The other day I sent out this tweet As it took off, got an amazing attention and I received many different comments and replies, I felt a need to elaborate a little. To add some meat to this. Is this string really a legitimate URL? What is a URL? How is it parsed? http://http://http://@http://http://?http://#http:// curl … Continue reading http://http://http://@http://http://?http://#http:// →| daniel.haxx.se