Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update security-sensitive dependencies: c-ares, curl, Moq
Summary
Updates three dependencies to address security vulnerabilities and remove a supply-chain trust concern. A fourth intended update (zlib 1.3.1 → 1.3.2) is blocked pending a vcpkg registry baseline bump — zlib 1.3.2 is not yet available in the current baseline.
c-arescurlMoqFiles Changed
src/vcpkg.json— updatedoverridesforc-aresandcurlsrc/Directory.Packages.props— updatedMoqversionSecurity Details
c-ares 1.19.1 → 1.34.6 — 3 CVEs fixed + memory-safety hardening
CVE-2024-25629 — Out-of-Bounds Read in Configuration File Parser
Fixed in: 1.27.0 (Feb 23, 2024) · Severity: Moderate · CWE-125/CWE-127
ares__read_line()parses local config files (/etc/resolv.conf,/etc/nsswitch.conf,HOSTALIASES). If any of these files has a null byte (\0) as the first character of a new line, the parser attempts to read memory prior to the start of the buffer (buffer under-read), causing a crash. Reported by Vojtěch Vobr.CVE-2025-31498 — Use-After-Free in
read_answers()· GHSA-6hxc-62jh-p29vFixed in: 1.34.5 (Apr 8, 2025) · Severity: High (CVSS 4.0: AV:N/AC:H, VA:High) · CWE-416
Introduced by v1.32.3's UDP write failure detection. When
process_answer()re-enqueues a DNS query (triggered by a DNS Cookie failure, an upstream server not supporting EDNS, or a TCP server closing the connection immediately after a response), the connection handle is freed — butread_answers()continues holding and using that freed handle. A remote attacker controlling the upstream nameserver could trigger this path; a local attacker could forcesend()/write()to return failure. Result: crash / denial of service. Reported by Erik Lax.CVE-2025-62408 — Use-After-Free in
read_answers()(missed case) · GHSA-jq53-42q6-pqr5Fixed in: 1.34.6 (Dec 8, 2025) · Severity: Medium (NVD pending) · CWE-416
An incomplete fix from CVE-2025-31498 in the same
read_answers()function. This second UAF fires whenprocess_answer()terminates a query after maximum retry attempts — a different trigger path than 31498. The connection may be closed, butread_answers()still iterates and accesses the freed handle.Non-CVE Security Hardening (selected highlights)
sprintf→snprintfthroughoutgetrandom()syscall for entropyARES_OPT_UDP_MAX_QUERIESlimit per ephemeral portares_strsplit()on safe buffer abstractionARES_FLAG_DNS0x20)curl 8.12.1 → 8.19.0 — 16 CVEs fixed across 7 releases
8.14.0 — April 2, 2025 — 2 CVEs
CVE-2025-4947 — QUIC Certificate Check Skip with wolfSSL
Severity: Medium · CWE-295: Improper Certificate Validation · Bug bounty: $2,540
When connecting to a host specified as an IP address (not a hostname) over QUIC/HTTP3 with wolfSSL as the TLS backend, libcurl skipped certificate verification entirely, allowing undetected MITM attacks. Only affects QUIC+wolfSSL; TCP TLS is unaffected. Reported by Hiroki Kurosawa.
CVE-2025-5025 — No QUIC Certificate Pinning with wolfSSL
Severity: Medium · CWE-295: Improper Certificate Validation
CURLOPT_PINNEDPUBLICKEY/--pinnedpubkeypinning was silently not performed for QUIC/HTTP3 connections with the wolfSSL backend. Applications expecting to pin a server's public key would unknowingly connect to an impostor without any error. Reported by Hiroki Kurosawa.8.14.1 — June 4, 2025 — 1 CVE
CVE-2025-5399 — WebSocket Endless Loop
Severity: Low · CWE-835: Loop with Unreachable Exit Condition
A malicious server can send a crafted packet causing libcurl's WebSocket auto-pong handler to enter an infinite busy-loop, DoS-ing the consuming application. Introduced in 8.13.0. Does not affect the curl command-line tool. Reported by z2_ on HackerOne.
8.15.0 — July 16, 2025 — 0 CVEs (hardening only)
No CVEs. Notable security changes:
8.16.0 — September 10, 2025 — 2 CVEs
CVE-2025-9086 — Out-of-Bounds Read for Cookie Path
Severity: Low · CWE-125: Out-of-bounds Read · C mistake (memory-safe language would have prevented this)
A sequence involving a
securecookie over HTTPS, a redirect to HTTP, and the HTTP server setting the same cookie with a single-slash path triggers a heap out-of-bounds read by one byte in curl's path comparison logic. Can crash or cause the insecure site to incorrectly override the secure cookie. Introduced in 8.13.0. Discovered by Google Big Sleep (AI-based vulnerability research).CVE-2025-10148 — Predictable WebSocket Mask
Severity: Low · CWE-340: Generation of Predictable Numbers or Identifiers
curl's WebSocket framing used a fixed 32-bit mask for the entire connection instead of updating it per-frame as required by RFC 6455. A predictable mask enables a malicious server to craft traffic that tricks an intermediate proxy into treating WebSocket data as HTTP — a cache-poisoning vector. Affects
ws://(unencrypted) connections through defective proxies. Reported by Calvin Ruocco (Vector Informatik GmbH).Also in this release: default minimum TLS version raised from TLS 1.0/1.1 to TLS 1.2.
8.17.0 — November 5, 2025 — 1 CVE
CVE-2025-10966 — Missing SFTP Host Verification with wolfSSH
Severity: Low · CWE-322: Key Exchange without Entity Authentication
The wolfSSH SFTP backend had no host verification implemented at all — no known-host checking, no host key verification. Any MITM could intercept SFTP connections transparently. The fix was to remove wolfSSH support entirely from curl (7.69.0–8.16.0 affected). Reported by Stanislav Fort (Aisle Research).
Also in this release: OpenSSL minimum version raised to 3.0.0; GnuTLS < 3.6.5 dropped; FTP Kerberos support removed.
8.18.0 — January 7, 2026 — 6 CVEs
CVE-2025-13034 — No QUIC Certificate Pinning with GnuTLS
Severity: Medium · CWE-295: Improper Certificate Validation · Bug bounty: $2,540
Same class as CVE-2025-5025 but for the ngtcp2+GnuTLS QUIC backend:
CURLOPT_PINNEDPUBLICKEYwas not enforced for QUIC when standard cert verification was explicitly disabled by the caller. Connection to impostors goes undetected. Reported by Stanislav Fort (Aisle Research).CVE-2025-14017 — Broken TLS Options for Threaded LDAPS
Severity: Medium · CWE-567: Unsynchronized Access to Shared Data in a Multi-threaded Context
In multi-threaded applications using LDAP over TLS, setting a TLS option (e.g., disabling cert verification) on one connection could globally affect other concurrent LDAP connections due to unsynchronized access to shared state. Only affects legacy non-OpenLDAP, non-WinLDAP builds. Has existed since 7.17.0. Reported by Stanislav Fort (Aisle Research).
CVE-2025-14524 — Bearer Token Leak on Cross-Protocol Redirect
Severity: Low · CWE-522: Insufficiently Protected Credentials
When an OAuth2 bearer token is in use and curl follows a redirect to a non-HTTP protocol (IMAP, LDAP, POP3, SMTP) — which requires explicitly enabling non-HTTP redirects — the bearer token could be forwarded to the new host. Reported anonymously on HackerOne.
CVE-2025-14819 — OpenSSL Partial Chain Store Policy Bypass
Severity: Low · CWE-295: Improper Certificate Validation · Bug bounty: $505
Due to CA store caching, toggling
CURLSSLOPT_NO_PARTIALCHAINbetween transfers on a reused handle could cause curl to accept a partial certificate trust chain it should have rejected (using the cached store from a previous setting). Only affects OpenSSL backend; only impacts applications toggling this option between transfers. Reported by Stanislav Fort (Aisle Research).CVE-2025-15079 — libssh Global known_hosts Override
Severity: Low · CWE-297: Improper Validation of Certificate with Host Mismatch · Bug bounty: $505
When
CURLOPT_SSH_KNOWNHOSTSis specified for SCP/SFTP via the libssh backend, libssh's automatic fallback to its compile-time global known_hosts file meant curl could accept connections to hosts not present in the user's specified file. Fix: both user and global known_hosts paths are set to the user-provided path. Reported by Harry Sintonen.CVE-2025-15224 — libssh Key Passphrase Bypass Without Agent Set
Severity: Low · CWE-287: Improper Authentication · Bug bounty: $505
When using public key authentication with the libssh backend, curl silently also attempted SSH agent authentication even when no agent was configured, due to libssh's automatic fallback behavior. Violates the caller's explicit authentication intent. Reported by Harry Sintonen.
8.19.0 — March 11, 2026 — 4 CVEs
CVE-2026-1965 — Bad Reuse of HTTP Negotiate Connection
Severity: Medium · CWE-305: Authentication Bypass by Primary Weakness
When using HTTP Negotiate (Kerberos/GSSAPI) authentication, curl could reuse an existing connection authenticated under a different user for a new request with different credentials, because Negotiate authenticates connections (not individual requests). A request intended for
user2could be sent overuser1's authenticated connection. Present since 7.10.6. Mitigatable by disabling connection reuse. Reported by Zhicheng Chen.CVE-2026-3783 — Token Leak with Redirect and netrc
Severity: Medium · CWE-522: Insufficiently Protected Credentials
When an OAuth2 bearer token is in use and curl follows an HTTP redirect, if the redirect target hostname appears in the user's
.netrcfile, curl forwards the bearer token to the redirect target host. Reported on HackerOne #3583983.CVE-2026-3784 — Wrong Proxy Connection Reuse with Credentials
Severity: Low · CWE-305: Authentication Bypass by Primary Weakness
curl wrongly reuses an existing HTTP proxy CONNECT tunnel even when the new request uses different proxy credentials, potentially bypassing per-request proxy authorization. Present since curl 7.7. Reported by Muhamad Arga Reksapati on HackerOne.
CVE-2026-3805 — Use After Free in SMB Connection Reuse
Severity: Medium · CWE-416: Use After Free · C mistake
On a second SMB request to the same host (reused connection), curl reads from an already-freed memory pointer, potentially leaking data from that memory address into the outgoing SMB packet. Introduced in 8.13.0. Reported by Daniel Wade on HackerOne.
curl CVE Summary
Moq 4.18.2 → 4.20.72 — SponsorLink supply-chain incident - Ensure no affected version
What Happened
Moq 4.20.0 and 4.20.1 (released Aug 4–9, 2023) introduced a dependency on
Devlooped.SponsorLink— a closed-source, obfuscated Roslyn analyzer that ran at IDE build time (Visual Studio / Rider; not CI ordotnet build). It was removed in 4.20.2 (Aug 9, 2023) and has not returned.What SponsorLink Did at Build Time
git config --get user.emailto retrieve the developer's configured git emaildevloopedaccountWhy It Was Removed
TreatWarningsAsErrorsprojects had builds broken entirely.dotnet restorefailed on non-Windows platforms.The author open-sourced the SponsorLink codebase the following day and stated SponsorLink would not return to Moq until the privacy concerns were properly addressed. As of 4.20.72, it has not returned.
Other Security-Relevant Changes in This Range
Castle.Core(DynamicProxy) upgraded from 5.0.0 → 5.1.0;System.Threading.Tasks.Extensionsdependency removed for netstandard2.1 and net6.0 targetsCastle.Coreupgraded to 5.1.1Castle.Core5.1.1 retained; no SponsorLinkMicrosoft Reviewers: Open in CodeFlow