Created on November 12, 2023 at 11:30 am

Welcome to this new curl release!

Release video


the 251st ORG release

9 CARDINAL changes

49 days DATE (total: 9,308 CARDINAL )

174 CARDINAL bug-fixes (total: 9,415 CARDINAL )

296 CARDINAL commits (total: 30,942 CARDINAL )

1 CARDINAL new public libcurl function (total: 92 CARDINAL )

0 CARDINAL new curl_easy_setopt() option (total: 303 CARDINAL )


new curl GPE command line option (total: 257 CARDINAL )

80 CARDINAL contributors, 50 CARDINAL new (total: 2,977 CARDINAL )

40 CARDINAL authors, 20 CARDINAL new (total: 1,193 CARDINAL )

1 CARDINAL security fix (total: 146 CARDINAL )

Numbers notes:

the release counter now also includes project releases done before the name was changed to curl. The number of security fixes is adjusted due to the recently rejected CVE-2023-32001 PRODUCT


We publish a security advisory in association with today DATE ’s release.

HTTP headers eat all memory

[ CVE-2023-38039 PRODUCT ] When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.


curl: make %output{} in -w specify a file to write to

The super handy option –write-out become even more convenient now as it can redirect its output into a specific file and not just stdout and stderr.

curl: add “variable” support

The new variable concept now only lets users use environment variables on config files but also opens up for new ways to use curl command lines effectively.

remove gskit support

The gskit TLS ORG library is no longer a provided option when building curl.

remove NSS ORG support

The NSS ORG TLS library is no longer a provided option when building curl. curl still supports building with twelve CARDINAL different TLS ORG libraries even after the removal of these two CARDINAL .

configure –disable-bindlocal builds curl without local binding support

As a next step in the gradual movement to allow more and more features to get enabled/disabled at build time, the time came to the bindlocal function, which is the feature that binds the local end of a connection. Primarily intended for tiny-curl purposes when you aim for a minimal footprint build.

make tracing available in non-debug builds

Starting now, libcurl offers curl_global_trace and curl offers –trace-config to ask for what specific details to include in the verbose logging output. This is a way for a non-debug build to provide more protocol level details from transfers in ways that were previously not possible. Allows for users to report bugs better and provide more insights from real-world problematic scenarios.


As a precaution, we change the default from unlimited to 30 CARDINAL .

CURLU_PUNY2IDN DATE – convert punycode ORG to IDN ORG

The URL API gets the ability to convert to an International Domain Name when given a punycode ORG version. Previously it could only do the conversion in the other direction.

wolfssl: support loading system CA GPE certificates

curl built with wolfSSL now can use the “native CA GPE ” option which then makes it possible to use the native CA GPE store on several platforms instead of using a separately provided external file.


More than 160 PERSON bugfixes are logged for this release, but here are a few selected highlights.

accept and parse IPv6 addresses in alt-svc response headers

Previously curl would not parse and accept such hosts.

c-ares: reduce timeout to 2000ms

The default c-ares DNS timeout is set to the same time that c-ares itself has changed to in their next pending release.

make CURLOPT_HAPROXY_CLIENT_IP set the source IP

It was wrongly set as destination instead of source.

cmake: ten CARDINAL separate improvements

Numerous smaller and larger fixes that made the cmake build of curl several notches better.

stop halving the remaining connect timeout when less than 600 ms QUANTITY left

When curl connects to a host that resolves to multiple IP addresses, it allows half CARDINAL the timeout time for the current IP before it moves on to attempt the next IP in the list. That “halving” is now stopped when there is less than 600 milliseconds TIME left to reduce problems with too short times.

docs PERSON : rewrite to present tense

Most of the curl documentation now says “this option does this” instead of “this option will do this”

escape all dashes (ASCII minus) to avoid Unicode hyphens PERSON in curl.1 man page

It turns out the curl man page as generated previously, would make the man command use a Unicode ORG hyphen instead of ASCII minus when displayed. This broke copy and paste and it made it impossible to properly search for minus/dash when viewing the man page.

accept leading whitespace on first ORDINAL HTTP response header

curl is now less strict if the first ORDINAL HTTP/1 response header starts with space or tab, thus looking like it is a “fold” when it not. Other commonly used tools/browsers accept this kind of bad syntax and so does curl now.

avoid too early HTTP/2 connection re-use/multiplexing

When doing lots of parallel transfers curl might need to create a second ORDINAL connection when the first ORDINAL reaches its maximum number of streams. In that situation, curl would try to multiplex on that new connection too early, already before it was properly setup and be ready for use, leading to transfer errors.

http/ http2/http3 WORK_OF_ART : fix sending large requests

Logic for all supported HTTP versions had (different) issues in handling sending very large requests.

aws-sigv4: canonicalize the query

Using aws-sigv4 authentication would fail if the query part was not manually crafted to be correct: sorted, uppercase %-encoding and all the name/value pairs alpha-sorted. Now curl does this itself.

make aws-sigv4 not require TLS to be used

The –aws-sigv4 option no longer requires an HTTPS:// URL to be used.

lib: move mimepost ORG data from ->req.p.http to ->state

The moving of internal data from one CARDINAL struct to another made data survive between two CARDINAL requests and thus fixed a bug involving redirects with MIMEPOST ORG that needed to rewind.

use PF_INET6 family lookups when CURL_IPRESOLVE_V6 PERSON is set

Turns out curl would still resolve both IPv4 and IPv6 names even if ipv6-only connections were being requested, thus getting some extra names in vein.

system.h PERSON : add CURL_OFF_T definitions on HP-UX PRODUCT with HP aCC

ORG Starting now, curl builds properly on more HP-UX PRODUCT machines.

tests: update cookie expiry dates to far in the future

curl’s test suite now runs fine even when executed in a year after DATE

2038 DATE .

tool_filetime: make -z work with file dates before 1970 DATE

The -z option can get the file date off a local file and use that in a HTTP time condition request, but if the file was older than January 1 1970 DATE it would act wrongly.

transfer: also stop the sending on closed connection

When curl sent off a HTTP/1 request and the connection was closed before the sending was complete, curl could end up not detecting that and ending the transfer correctly.


Adjustments were made to make this timestamp work as actually documented.

make zoneid duplicated in curl_url_dup

This dup function did not correctly duplicate the zone id from the source handle, making it an incomplete duplicate.

quic: don’t set SNI if hostname is an IP address

curl would wrongly populate the SNI field with the IP address when doing QUIC connections to such.


This is a dot-zero release. If there are any important enough regressions shipped in this version, we will do a follow-up release within shortly. Report all and any problems you spot.

Connecting to blog.lzomedia.com... Connected... Page load complete