CURL-CVE-2016-3739

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2016-3739.html

Import Source

https://curl.se/docs/CURL-CVE-2016-3739.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2016-3739

Aliases

CVE-2016-3739

Published

2016-05-18T08:00:00Z

Modified

2026-05-27T02:29:16.862928Z

Summary

TLS certificate check bypass with mbedTLS/PolarSSL

Details

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3.

This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend.

The documentation for mbedTLS and PolarSSL (wrongly) says that the API function ssl_set_hostname() is used only for setting the name for the TLS extension SNI. The set string is however even more importantly used by the libraries to verify the server certificate, and if no "hostname" is set it skips the check and successfully continue with the handshake.

libcurl would wrongly avoid using the function when the specified hostname was given as an IP address or when SSLv3 is used, as SNI is not supposed to be used then. This then leads to that all uses of TLS oriented protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc) allows connections to servers with unverified server certificates as long as they are specified as IP addresses or using SSLv3.

By tricking a libcurl-using client to use a URL with a host specified as IP address only, an application could be made to connect to an impostor server or Man In The Middle host without noticing.

Note: PolarSSL is the old name and releases of the library that nowadays is known and released under the name mbedTLS.

Database specific

{
    "URL": "https://curl.se/docs/CVE-2016-3739.json",
    "last_affected": "7.48.0",
    "affects": "both",
    "www": "https://curl.se/docs/CVE-2016-3739.html",
    "package": "curl",
    "severity": "High",
    "CWE": {
        "desc": "Improper Validation of Certificate with Host Mismatch",
        "id": "CWE-297"
    }
}

References

Credits

- Moti Avrahami - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.21.0

Fixed

7.49.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

51427e1947ddc07b4ce8ad9dcb04846125170f83

Fixed

6efd2fa529a189bf41736a610f6184cd8ad94b4d

Affected versions

7.*

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

Other

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

Database specific

vanir_signatures_modified

"2026-05-27T02:29:16Z"

vanir_signatures

[
    {
        "id": "CURL-CVE-2016-3739-1f7cde52",
        "target": {
            "file": "lib/vtls/mbedtls.c"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "202569997823797167088441078705887588675",
                "140997351942235197458575876881876230698",
                "95856649312950224624428804969501053919",
                "231872359366839169123633691355951768597",
                "242123234287323998123007407185640467515",
                "188319951280381205884646307466977721287",
                "32464786281486503244053591555064270046",
                "340133065903618466084750668242347162542",
                "6829067414076471645178413472443550005",
                "278215882298194168328363957778405548004"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d",
        "signature_version": "v1"
    },
    {
        "id": "CURL-CVE-2016-3739-47e09da7",
        "target": {
            "file": "lib/vtls/polarssl.c"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "91477970112647442103438772945601033890",
                "218301914338796467834243165078488752148",
                "199157532542976154053541621729926549550",
                "231872359366839169123633691355951768597",
                "303354181271854098824122155148907554613",
                "223636590846625461169116129542565210113",
                "134873669455333081670362266164411366586",
                "197549729935323838870862303803933001812",
                "331061034828677157003209928854333536774",
                "278215882298194168328363957778405548004"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d",
        "signature_version": "v1"
    },
    {
        "id": "CURL-CVE-2016-3739-930f1429",
        "target": {
            "file": "lib/vtls/polarssl.c",
            "function": "polarssl_connect_step1"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "278335692291154105246462499520271183002",
            "length": 6840.0
        },
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d",
        "signature_version": "v1"
    },
    {
        "id": "CURL-CVE-2016-3739-f3299443",
        "target": {
            "file": "lib/vtls/mbedtls.c",
            "function": "mbed_connect_step1"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "119002447290259833848037898670058351115",
            "length": 7431.0
        },
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d",
        "signature_version": "v1"
    }
]

source

"https://curl.se/docs/CURL-CVE-2016-3739.json"