{"id":"CURL-CVE-2016-8625","summary":"IDNA 2003 makes curl use wrong host","details":"When curl is built with libidn to handle International Domain Names (IDNA), it\ntranslates them to puny code for DNS resolving using the IDNA 2003 standard,\nwhile IDNA 2008 is the modern and up-to-date IDNA standard.\n\nThis misalignment causes problems with for example domains using the German ß\ncharacter (known as the Unicode Character `LATIN SMALL LETTER SHARP S`) which\nis used at times in the `.de` TLD and is translated differently in the two\nIDNA standards, leading to users potentially and unknowingly issuing network\ntransfer requests to the wrong host.\n\nFor example, `straße.de` is translated into `strasse.de` using IDNA 2003 but\nis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those\nhostnames could well resolve to different addresses and be two completely\nindependent servers. IDNA 2008 is mandatory for `.de` domains.\n\ncurl is not alone with this problem, as there is currently a big flux in the\nworld of network user-agents about which IDNA version to support and use.\n\nThis name problem exists for DNS-using protocols in curl, but only when built\nto use libidn.","aliases":["CVE-2016-8625"],"modified":"2026-04-25T20:30:38.445421Z","published":"2016-11-02T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2016-8625.html","package":"curl","URL":"https://curl.se/docs/CVE-2016-8625.json","last_affected":"7.50.3","affects":"both","CWE":{"desc":"Inappropriate Encoding for Output Context","id":"CWE-838"},"severity":"High"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.12.0"},{"fixed":"7.51.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"9631fa740708b1890197fad01e25b34b7e8eb80e"},{"fixed":"9c91ec778104ae3b744b39444d544e82d5ee9ece"}]}],"versions":["7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:30:38Z","source":"https://curl.se/docs/CURL-CVE-2016-8625.json","vanir_signatures":[{"digest":{"function_hash":"174707309018740579847585398681361666454","length":1818},"target":{"file":"lib/version.c","function":"curl_version"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-22916ce9","deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["106940897945940263967681651881448855257","224488160554700619449532988931567203964","60750270840504114423546171229521216670","298007208585740018789356568677979232928","296606225063916437587263770504086735360","62900199437057870118399755726589580575","122551299612156071207198746895469961077","144099976039404157316371091961393731477","66751271439434682905219896855015665369","157815284444529977609475668713188290878","309125739369004304376955781393601866138","324000450922087974052788690887999305607","33925217263778598797535908837316171555","147007445759798186927401212848469372819","117265488726301465847420257900678750572","239942527546626596047193656593420923150","236020665165906940480717321785972499682","8604105010094428473221647047334637470","282256443532778423183732992357483822119","333314340030581266807199700106028052646","283519095321983707431608877643894824816","294215122729160706549973137903885638247","161495214916603931603616111531028049611","25135640974977968240981777904376222546","10552689394458749810967460969613694914","174915049832835750462089881168445565752","239906012544903045321187248537246509820","216135967756244221326184694439420891461","108517675442716300046349155519731743842","51519864449191512432357379353904191826","293782732941594426977708607879332640244","165563194166945537337889948717621525279","333334863327219688619373414422368649546","24390373080522249634500040340559210394","287248030817542618502577282721856665663","289202022179551851832623140854093070940","267787503231936274283865300195348380669","140637981720876131002509827078235251299","30348787857951223731770588132036727898","248009412624482433407571305146952352967","235178159688623216152403549235127809924","8545746994094101583926772304486926892","284951061695319933188985506753620676207","76830069563012839590267031317759512505","103894263447601482953594485391135223043","57073310203431144147786422192043456644","181065428705123721631625894304390777270","80879262536792066722646228300035457841","184914865177630377594351218661619057487","131209784950504652813594269636954659640","220320397425604547042160679334694311802","244891989539331607887375754714328573866","4882974987395688070512699448086822778","66009737159969283542365688506578496535","69864869891680462828267138635911205640","221935764194996374435512256862614964926","332705414063166836483579238260540468361","273656200090358574117510359412479537095","239229967520383279690072108423835064545","211034785792519465129981814258383218839","315935957348810459937184121997315885362","211633432065995115769326563563719916626","196397321600486593314860436525799679834","284714330458267238828627172749552970358","122566548638211469377023377004460364086","121639131181195574709024329931975588585","254545062050604992626040066953871620526","131429042537791155086645096967697290500","312931041103922441815218888643937905398","178566762246786001874454429807768248066","228209083930520838675114703718803227453","68315060903692389589546319494391532686","159968115524889923107770953949843270450","19475019811471883740395264094329146897","224032582449815835375802615237396904161","76013151997880805280481765997624901256","149212346911938931930957699715526174","248428533153162455058980715003209789277","39320095912504689254491073280258227060","273674276716969170611779894881398848775","163328463023362055283102266717479533251","54986620579111497791130347366224364811","314377425821850393294929277245510527724","142452628829358285695855973945609526378","177263933007676927610322569204610974711","206793510088701665538163557459098885919","119302723806996030941582083965243726394","83349471186095744340450971251426922338"],"threshold":0.9},"target":{"file":"lib/url.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-22f8754c","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"8224137302278049904787697911029847458","length":1127},"target":{"file":"lib/version.c","function":"curl_version_info"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-2d36634f","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"218157414627815975943895844684314524591","length":276},"target":{"file":"lib/url.c","function":"free_fixed_hostname"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-47f0c1f1","deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["178346760639395230677114141215138479730","92514211531754666209310300418718272740","297687927986317032242523210545522702846","269598123464451360721154267444726542112","233862290137993350484257721081712642736","163193343118312970757595433482307291237","164572580648006087463087281773281093324","324925140790876143553663415069562513446","81127827135526416579700444909592292534","260447364267161798488982642230370178155","242048229728988292374420514247100862205","211378814549810599707287423771694966322","200078792374692183658629107143251669351","298103307979614460275209770137999448011","125277390936039347487973487423265236722","328090928926682092979080053965885525613","331979036523829522690116641119143183828","250716793834477736672710575470577295457","76054306692410491737879603435831683013","262375895210773567962769995692447896554","201363071534120285332972747566967440458","171518422354236738419428829582084799770","142014206286026566778552900986080655307"],"threshold":0.9},"target":{"file":"lib/easy.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-5dace70f","deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["284235874481078054617351735415376782338","33142220432548756560304948522550550896","213792348622385919483969037146957464926","144182110449740891424009054307655782046","95498247698712307068901334476315162087","167772228006685471024967521469515039909","145028150220712457734838289666629871079","238893884445280986791220541254018453772","257014732661376201040409201126720195820","130977636227091256146437115813544105024","157088391711125666816236695525848460007","122500614675436533953189698183686671513","209429142826217991363065618912446397186","39823496755220543405143365978272927556","88366244247141401406993050355545908752","56548629672832729116724211869521285038"],"threshold":0.9},"target":{"file":"lib/version.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-70db4e08","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"335717493846926478303003654248916604307","length":235},"target":{"file":"lib/easy.c","function":"idna_init"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-71281cbc","deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["329247926648802052241290660095680377239","1472959229266969191805437161599162041","324734342524636903955733107365673203101","291822660088739866274588488251207551455","24739328025516578637503288894359600133","185389710692878662607305115600983440888","134663362963790377001439498401543456834","100694170238719098737167691087541581679","24211920735205078117730512307674150319","160319323349602535565348421211845028349","245383140580955335688432618948541562408","239034110045223037314015597723716256249","143250701011028931986280997837314708946","263024226422903720467342800791246746259","334188970252521907803449080491923662199","43880254774290060562905499824127299587","225183040878008691486882475776939776004","191872213324000247080300810918357855132","157413206056456419128449764443972271016","171023339980020616080666446118139602304","168524767458176547708938431031518667305","118800066184642786171729882726850374635","328690288633462267301486597166324700892","273294471420538395315279804988609073179","334048632770114549890665066920679407218","67902105451158441519968676771948163980","304374708235075913973264869421092353581","43644193117185238510825628649641563897","336005362794817895409159983728810935601","212586116351014321165910127364318853758","117922196394398517964100260106552716555","169935763271104471564177357017281589363","232090777670187700737473344705634977541","157227431009934577794386298237620187818","261253230066531624734563972813498369212","303842060979394390023969693062558822019","210025770513544701108185352740526472536","136736042948365580579218819195025697614","307042520353155769282818876014560220326","236190414303849999340421653464879382549","69912978159481624123984151233177803604","5534645084554837387710648226103767044","261387854142075439095722680440316700037","253208791903915321343513424966430920608","72846585777661321745450114423157127237","219767626184243137757590965641914162132","309720034483755982015146196437946422462","100140769371689818365073003841340676308","158243714789215877917276699817100571489","150841405212356811712028618533996074622","175582642382737295705131183225434384247","263370395987459233888242471167842299888","328863968135984026639242251186948439623","36453259033188928718534741256499088104","121497379059091852585400663444488380543","10742768904463458086831220520597100062","177945593345078899157964381617766848649","65173939241312815406981894675569768977","124968947441902669789310674519097435342","138607000266540641389329296711927502879","299803611629543420201241012790149025062","276645058442744087481456078035456142936","157114327104045828455716291742272298677","113044942253259834386908455636229294681","73802316072166662585338782758910968504","148643417508131460604669066047054238346","43234821883197169746693716608273344698","243287555775683566926943510970668229258","142606261741529191910337354254194457135","124904938226802088577256688334654038967","163347706831398352533593792785679871063","90821527265462701879169151521373488018","327621207942027311826768659865547778756","111195992400352771018934814997831495725","94944453034706984746788340037538379956","322812130556646243320826610929262863406","1693490248469916777100476336181503340","252773358917783117816565403881200672797"],"threshold":0.9},"target":{"file":"lib/strerror.c"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-7a294070","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"283972505964696467161665606429613169790","length":1442},"target":{"file":"lib/strerror.c","function":"Curl_idn_strerror"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-83ae749a","deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["89981056729323208107644540964856378874","145043199987126059407156445575034399190","263344072972619151861600283188391105041","326070157056122830654798075520750102844"],"threshold":0.9},"target":{"file":"lib/curl_setup.h"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-b0a871ba","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"163590447899760112234252748201219611967","length":1203},"target":{"file":"lib/url.c","function":"fix_hostname"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-d65b69ef","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"164705252766334852033985086342671517397","length":9573},"target":{"file":"lib/url.c","function":"create_conn"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-ed96a5ae","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"101244559059502590250906969154261701223","length":697},"target":{"file":"lib/url.c","function":"tld_check_name"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-f57cd2da","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"171980070403381245404751961445082524011","length":1441},"target":{"file":"lib/easy.c","function":"global_init"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-f7dd3934","deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["330878096391839067750528583489023678789","302828481496764205694326295209619364390","224867628573565401674693297208452602606","294602228532648439691806958133906809609"],"threshold":0.9},"target":{"file":"lib/strerror.h"},"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece","id":"CURL-CVE-2016-8625-fc747ea3","deprecated":false,"signature_type":"Line"}]}}],"schema_version":"1.7.5","credits":[{"name":"Christian Heimes","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}