{"id":"CURL-CVE-2014-0138","summary":"wrong reuse of connections","details":"libcurl can in some circumstances reuse the wrong connection when asked to\ndo transfers using other protocols than HTTP and FTP.\n\nlibcurl features a pool of recent connections so that subsequent requests\ncan reuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to an\nerror in the code, a transfer that was initiated by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. The existing logic basically only\nworked well enough for HTTP and FTP, while all other network protocols were\nsilently, but erroneously, assumed to work like HTTP. Basically, protocols\nthat use connection oriented authentication need a new connection when new\ncredentials are used.\n\nAffected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and\nLDAP(S).\n\nApplications can disable libcurl's reuse of connections and thus mitigate\nthis problem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).\n\n(This problem is similar to a problem previously reported to NTLM HTTP\nconnections, named [CVE-2014-0015](CVE-2014-0015.html))","aliases":["CVE-2014-0138"],"modified":"2026-04-25T16:17:52.420611Z","published":"2014-03-26T08:00:00Z","database_specific":{"affects":"both","last_affected":"7.35.0","severity":"Medium","CWE":{"id":"CWE-305","desc":"Authentication Bypass by Primary Weakness"},"package":"curl","URL":"https://curl.se/docs/CVE-2014-0138.json","www":"https://curl.se/docs/CVE-2014-0138.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.10.6"},{"fixed":"7.36.0"}]}],"versions":["7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2014-0138.json"}}],"schema_version":"1.7.5","credits":[{"name":"Steve Holme","type":"FINDER"},{"name":"Steve Holme","type":"REMEDIATION_DEVELOPER"}]}