diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index 59066590159..66781831f02 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -1307,6 +1307,10 @@ "id": "DEBIAN-CVE-2024-12133", "modified": "" }, + { + "id": "DEBIAN-CVE-2025-13151", + "modified": "" + }, { "id": "DLA-3263-1", "modified": "" @@ -1529,7 +1533,7 @@ }, { "id": "DEBIAN-CVE-2025-9714", - "modified": "" + "modified": "" }, { "id": "DLA-3012-1", @@ -1815,7 +1819,7 @@ }, { "id": "DEBIAN-CVE-2024-13176", - "modified": "" + "modified": "" }, { "id": "DEBIAN-CVE-2024-2511", @@ -3111,6 +3115,10 @@ "id": "GHSA-34jh-p97f-mpxf", "modified": "" }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" + }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "" @@ -3159,6 +3167,10 @@ "id": "GHSA-34jh-p97f-mpxf", "modified": "" }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" + }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "" @@ -3199,6 +3211,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" @@ -3207,6 +3223,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" @@ -3215,6 +3235,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" @@ -3589,6 +3613,10 @@ "id": "GHSA-34jh-p97f-mpxf", "modified": "" }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" + }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "" @@ -3637,6 +3665,10 @@ "id": "GHSA-34jh-p97f-mpxf", "modified": "" }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" + }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "" @@ -3677,6 +3709,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" @@ -3685,6 +3721,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" @@ -3693,6 +3733,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap index 66c1c427573..f25041605c1 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap @@ -604,6 +604,10 @@ "id": "GHSA-34jh-p97f-mpxf", "modified": "" }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" + }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "" @@ -644,6 +648,10 @@ }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", "modified": "" diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 680b407c069..c8ddca551bf 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -264,6 +264,58 @@ } ] }, + { + "id": "CVE-2026-22693", + "details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", + "aliases": ["GHSA-xvjr-f2r9-c7ww"], + "modified": "", + "published": "2026-01-10T06:15:52.063Z", + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/11/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/12/1" + }, + { + "type": "ADVISORY", + "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" + }, + { + "type": "FIX", + "url": "https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae" + } + ], + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "repo": "https://github.com/harfbuzz/harfbuzz", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1265ff8d990284f04d8768f35b0e20ae5f60daae" + } + ] + } + ], + "versions": 207, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ] + }, { "id": "OSV-2020-484", "summary": "Heap-buffer-overflow in AAT::KerxSubTableFormat4\u003cAAT::KerxSubTableHeader\u003e::driver_context_t::transition", @@ -876,12 +928,12 @@ ] }, { - "id": "CURL-CVE-2025-5025", - "summary": "No QUIC certificate pinning with wolfSSL", - "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", - "aliases": ["CVE-2025-5025"], - "modified": "", - "published": "2025-05-28T08:00:00Z", + "id": "CURL-CVE-2025-14017", + "summary": "broken TLS options for threaded LDAPS", + "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.", + "aliases": ["CVE-2025-14017"], + "modified": "", + "published": "2026-01-07T08:00:00Z", "database_specific": "", "affected": [ { @@ -890,10 +942,10 @@ "type": "SEMVER", "events": [ { - "introduced": "8.5.0" + "introduced": "7.17.0" }, { - "fixed": "8.14.0" + "fixed": "8.18.0" } ] }, @@ -902,37 +954,37 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + "introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34" }, { - "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + "fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d" } ] } ], - "versions": 14, + "versions": 143, "database_specific": "" } ], "schema_version": "1.7.3", "credits": [ { - "name": "Hiroki Kurosawa", + "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { - "name": "Stefan Eissing", + "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ] }, { - "id": "CURL-CVE-2025-9086", - "summary": "Out of bounds read for cookie path", - "details": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.", - "aliases": ["CVE-2025-9086"], - "modified": "", - "published": "2025-09-10T08:00:00Z", + "id": "CURL-CVE-2025-14524", + "summary": "bearer token leak on cross-protocol redirect", + "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.", + "aliases": ["CVE-2025-14524"], + "modified": "", + "published": "2026-01-06T08:00:00Z", "database_specific": "", "affected": [ { @@ -941,10 +993,10 @@ "type": "SEMVER", "events": [ { - "introduced": "7.31.0" + "introduced": "7.33.0" }, { - "fixed": "8.16.0" + "fixed": "8.18.0" } ] }, @@ -953,10 +1005,10 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d" + "introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa" }, { - "fixed": "c6ae07c6a541e0e96d0040afb62b45dd37711300" + "fixed": "1a822275d333dc6da6043497160fd04c8fa48640" } ] } @@ -968,7 +1020,58 @@ "schema_version": "1.7.3", "credits": [ { - "name": "Google Big Sleep", + "name": "anonymous237 on hackerone", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-14819", + "summary": "OpenSSL partial chain store policy bypass", + "details": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.", + "aliases": ["CVE-2025-14819"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.87.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "3c16697ebd796f799227be293e8689aec5f8190d" + }, + { + "fixed": "cd046f6c93b39d673a58c18648d8906e954c4f5d" + } + ] + } + ], + "versions": 31, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { @@ -977,6 +1080,159 @@ } ] }, + { + "id": "CURL-CVE-2025-15079", + "summary": "libssh global known_hosts override", + "details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.", + "aliases": ["CVE-2025-15079"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "adca486c125d9a6d9565b9607a19dce803a8b479" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-15224", + "summary": "libssh key passphrase bypass without agent set", + "details": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.", + "aliases": ["CVE-2025-15224"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "16d5f2a5660c61cc27bd5f1c7f512391d1c927aa" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", + "type": "FINDER" + }, + { + "name": "Harry Sintonen", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-5025", + "summary": "No QUIC certificate pinning with wolfSSL", + "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", + "aliases": ["CVE-2025-5025"], + "modified": "", + "published": "2025-05-28T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.14.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + }, + { + "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + } + ] + } + ], + "versions": 14, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Hiroki Kurosawa", + "type": "FINDER" + }, + { + "name": "Stefan Eissing", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, { "id": "CVE-2024-0853", "details": "curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.",