October 11, 20230 mins read
On October 3, 2023, the curl team preannounced a pending fix for a high-severity vulnerability, which impacts both
Snyk products help you identify and fix vulnerable packages and containers, but this vulnerability impacts
curl, a command-line tool that many developers use on a daily basis. It's also distributed with many operating systems, so we thought it would be beneficial to provide some tips on how you can get it upgraded on your system.
How to Update cURL on your OS
In this section, we provide version check and upgrade advice for different operating systems. Knowing this in advance will help you upgrade when the 8.4.0 version is released.
Updating cURL on macOS
Note: This section covers using the latest version of curl on the latest version of MacOS running on M1 Mac’s. For Intel Macs or older versions of MacOS, your mileage may vary.
On macOS Ventura (13.5.2) and higher, curl is installed by default. However, it’s an older version of curl (8.1.2). Snyk recommends installing a newer version and setting this as your default, as the built-in version of curl has known vulnerabilities.
The good news is that if you update to the latest version following these instructions, you’ll be well prepared to update again when curl 8.4.0 is released.
The most popular third-party package manager for macOS is Homebrew. The latest version of curl on Homebrew is 8.3.0, released mid-September.
Install curl with Homebrew by executing the following:
brew install curl
You won’t be done just yet. This is what’s referred to as a “keg only” install. Homebrew takes care not to overwrite or override utilities that ship with macOS by default. So, you have to explicitly express that you want to use the Homebrew-installed version of curl over the system default. You do this by making sure that the Homebrew executable path is first in your system path. The default location for homebrew installs in macOS is
/opt/homebrew (you can verify your homebrew path with the
brew --prefix command), and you can prepend your path with the homebrew version via the following command (using your brew prefix):
echo 'export PATH="/opt/homebrew/opt/curl/bin:$PATH"' >> ~/.zshrc
Note: Previous versions of Homebrew used a different path, and previous versions of macOS used bash instead of zsh.
You can confirm that you’re using the correct version of curl by opening up a new terminal window and executing:
You should see something like this:
curl 8.3.0 (aarch64-apple-darwin22.6.0) libcurl/8.3.0 (SecureTransport) OpenSSL/3.1.3 zlib/1.2.11 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.56.0 librtmp/2.3 OpenLDAP/2.6.6 Release-Date: 2023-09-13
When Homebrew is updated with the 8.4.0 version of curl, you can simply run the
brew install curl command again to get the latest version.
We’ll update this post when the 8.4.0 version is released for Homebrew.
Updating cURL on Windows
Windows 10 (build 1803) and higher come with curl pre-installed but with an older version. To test that you have curl and what version you’re using, you’ll need to open the Command Prompt. Click on the Start menu and type
cmd on your keyboard. In the Command Prompt, enter
curl --version to see if you have curl installed and which version. Anything less than
8.4.0 will need to be updated.
C:\Users\bc>curl --version curl 8.0.1 (Windows) libcurl/8.0.1 Schannel WinIDN Release-Date: 2023-03-20 Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp Features: AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets
Another thing to double-check is if you’re using the pre-installed version of curl on Windows or a separate curl installation. Check this by entering
where curl in your Command Prompt. If the path shown in the result includes
C:\Windows\System32, then it’s referencing the pre-installed version of curl:
C: \Users\bc>where curl C: \Windows\System32\curl.exe
Once you’ve identified whether you have curl installed, what version you’re using, and whether it’s the pre-installed version or a separate install, you’re equipped with all the information you need to update to the latest version. When it comes to the pre-installed version of curl, this is provided and managed by Microsoft and, therefore, can only safely be updated through a Windows Update published by Microsoft. You can check for an official update to Windows by clicking on your Start menu, typing “Windows Update,” and selecting the “Check for updates” option. This will open the Settings app and display the Windows Update view. There, you can click on the “Check for updates” button to retrieve any of the latest updates released from Microsoft, and one will likely include the patched version of curl.
Outside of an official Windows Update, you do have some options to update to the latest version and use it instead of the pre-installed one. All of these options will involve modifying your PATH environment variables, so if you’re uncomfortable doing that, you should wait for an official Windows Update, as noted above.
Installing a newer version of curl on Windows can be done in a few ways:
Through a Windows package manager (like homebrew for macOS):
The quickest and easiest way to install/update curl on Windows is with Winget.
Installing cURL via Winget
In your command prompt, run
winget install curl.curl. This will install curl using the native winget packages directory and add it to your User Path environment variable for you. However, when you run
curl --version, it will default to the pre-installed curl on your system and not the newly installed version.
Find the curl value Winget added to your User Path variable and copy it. Then, add it to your System Path variable as a top priority (above “C:\Windows\system32”). It should look similar to the following:
Once that’s done, go back to your Command Prompt and run
refreshenv so it picks up your environment variable changes. When that completes, run
curl --version to verify it is now using the latest installed version of curl that Winget installed for you.
Installing cURL via Chocolatey
First, install Chocolatey if you don’t already have it. You can read more about doing this from Chocolatey’s documentation. After it’s installed and ready to use, you can run the following command from the Command Prompt/terminal as an Administrator:
choco install curl
However, you’re not done yet. If you run
curl --version, you’ll notice that it still reports as the previous/older version. To fix this, you need to update your system environment variables. Click on your Start menu, type Edit the system environment variables, and select the first option. Once the System Properties window opens, click the Environment Variables… button, which will open a new window titled Environment Variables. In this window, look for the System variables section and find the entry for Path under the Variable column.
Click on the Edit… button to edit the value and find the entry for chocolatey as
C:\ProgramData\chocolatey\bin. Select that entry and use the Move Up button to move it to the top of the list, then click OK.
Now, back in your Command Prompt/terminal, enter
refreshenv to update with the changes you made to your environment variables. After that, run
curl --version again, and you should see the updated version is now being used. You can also run
where curl to see the two installed instances of curl on your machine: the first should be your new version installation location, and the second should show the system installation location. You’re all set to start using the new version of curl now.
C:\Users\bc>where curl C:\ProgramData\chocolatey\bin\curl.exe C:\Windows\System32\curl.exe
Updating cURL on Linux
If you run
curl --version and determine that you're running a vulnerable version, you can update it on your system once the fixed version is available.
Updating curl on Linux largely depends on which package manager your distribution is using, but these commands should give you an idea of how to proceed based on your distro. Generically, you'll probably want to tell the package manager to refresh the package index cache and then install a new version. Specifically, per distro, you would:
aptbased distros, such as Debian or Ubuntu:
Install latest version:
apt-get upgrade curl
For snap packages (primarily Ubuntu):
Install latest version:
snap install curl
For distros that use
dnf, such as RHEL, Rocky, and Fedora:
Check for updates:
Install latest version:
dnf install curl
Install latest version:
apk add curl
Note that getting an upgraded version would have a prerequisite of the various distros updating their package repositories. If, after running the appropriate command for your distribution, you run
curl --version, and you don’t see the 8.4.0, check your path to be sure no other version is installed ahead of it. Alternatively, you can go to curl - Download to find a compiled binary for your platform.
$ curl --version curl 7.81.0 … $ which curl /home/ubuntu/bin/curl $ echo $PATH /home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ /usr/bin/curl --version curl 8.4.0 …
In the above example, a copy of the older version is at
~/bin/curl, and since that is in my path first, it’s picking it up. Remove the older version or take it out of your path to resolve.
Feeling Brave? Build curl yourself!
The latest build-from-source results in version 8.4.0-DEV. While there’s no guarantee that the latest code has the fix for the high vulnerability in it, if you’re comfortable with building from source, you will be able to get the absolute latest version first on October 11.
In this section, we’ll look at building on an M1 Mac running MacOS Ventura. The developer team, led by Daniel Stenberg (badger on GitHub), has done a remarkable job of making curl easy to build on different OS’s.
In the installation documentation, there’s a section on building and installing for Mac that worked out of the box for us. Note: You will need to have Xcode command line tools installed for this to work.
I executed the following to build curl:
autoreconf -fi export ARCH=arm64 export SDK=macosx export DEPLOYMENT_TARGET=13.0 export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET" ./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport make -j8
I then confirmed the build with the following:
./src/.libs/curl --version curl 8.4.0-DEV (aarch64-apple-darwin) libcurl/8.4.0-DEV SecureTransport zlib/1.2.11 Release-Date: [unreleased]
You can then put this newly compiled
curl in a local
~/bin dir or something earlier in your path than the default
curl, until your distro/operating system provides an update. Once an update is available, we'd suggest adopting that and removing rogue copies in case of future vulnerabilities.