Anyone heard any rumblings of either HCL or MS fixing the curl < 8.12.x vulnerabilities?
I have a case open with MS but servicing team is still figuring out what to provide, if anything.
Windows server OS is 2019 and up, curl does not come with the OS for 2016.
I haven’t heard anything from Microsoft but our ISO team is interested.
An update from MS is the only way this is getting solved.
I mean you could self develop something, but it will break an eventual cumulative update by swapping out curl.exe. Would have to revert it before patching.
Unfortunately, the updates from MS appear to only be 2019 and up.
Which vulnerabilities are you concerned about? The last High-severity in Curl I see is from 2023 - CVE-2023-38545
There have been several low or moderate since then
CVE-2025-0167 for starters. Latest from MS, “we currently don’t have a definitive timeline for a scheduled fix to release cURL 8.12.1 on Windows Server 2019 and Windows Server 2022”
Nice!
8.13 is already out too, curl - Download
Ah, ok, that one is indeed considered a ‘Low’ because it requires an unusual configuration on the client-side to be exploitable.
I haven’t heard anything from the Microsoft side, either; when they release a patch I’m sure we’ll follow up with a Fixlet to deploy.
I submitted a similar question regarding Curl. Below was my question.
I was just wanted to throw this out there to see if others are getting the same vulnerability for Server 2019 and Server 2022 for Curl Integer Overflow Vulnerability - CVE-2025-0725 and Curl Exposure of Sensitive Information Vulnerability - CVE-2025-0167. I am seen a lot of our servers impacted by CVE-2025-0167.
From what I recall from another vulnerability I believe last October for LibCurl Microsoft included the fix in its monthly cumulative update. I have looked around but however, the exact release date is not confirmed. So, I guess for now I wanted to wait for MS to include it in a patch. I don’t want to break patching, repair, and upgrades. Wasn’t sure if anyone else has heard anything different or trying to remediate it manually or create a fixlet for the vulnerability.
Thought I would add this.