Posted on Oct 12 • Originally published at snyk.io On October 3, 2023, the Curl team preannounced a pending fix for a high-severity vulnerability, which impacts both libcurl and curl. Snyk products help you identify and fix vulnerable packages and containers, but this vulnerability impacts curl, a command-line tool that many developers use on a daily basis. It's also distributed with many operating systems, so we thought it would be beneficial to provide some tips on how you can get it upgraded on your system.In this section, we provide version check and upgrade advice for different operating systems. Knowing this in advance will help you upgrade when the 8.4.0 version is released.Note: This section covers using the latest version of curl on the latest version of MacOS running on M1 Mac’s. For Intel Macs or older versions of MacOS, your mileage may vary.On macOS Ventura (13.5.2) and higher, curl is installed by default. However, it’s an older version of curl (8.1.2). Snyk recommends installing a newer version and setting this as your default, as the built-in version of curl has known vulnerabilities.The good news is that if you update to the latest version following these instructions, you’ll be well prepared to update again when curl 8.4.0 is released.The most popular third-party package manager for macOS is Homebrew. The latest version of curl on Homebrew is 8.3.0, released mid-September.Install curl with Homebrew by executing the following:You won’t be done just yet. This is what’s referred to as a “keg only” install. Homebrew takes care not to overwrite or override utilities that ship with macOS by default. So, you have to explicitly express that you want to use the Homebrew-installed version of curl over the system default. You do this by making sure that the Homebrew executable path is first in your system path. The default location for homebrew installs in macOS is /opt/homebrew (you can verify your homebrew path with the brew --prefix command), and you can prepend your path with the homebrew version via the following command (using your brew prefix):Note: Previous versions of Homebrew used a different path, and previous versions of macOS used bash instead of zsh.You can confirm that you’re using the correct version of curl by opening up a new terminal window and executing:You should see something like this:When Homebrew is updated with the 8.4.0 version of curl, you can simply run thebrew install curl command again to get the latest version. We’ll update this post when the 8.4.0 version is released for Homebrew.Windows 10 (build 1803) and higher come with curl pre-installed but with an older version. To test that you have curl and what version you’re using, you’ll need to open the Command Prompt. Click on the Start menu and type cmd on your keyboard. In the Command Prompt, enter curl --version to see if you have curl installed and which version. Anything less than 8.4.0 will need to be updated.Another thing to double-check is if you’re using the pre-installed version of curl on Windows or a separate curl installation. Check this by entering where curl in your Command Prompt. If the path shown in the result includes C:\Windows\System32, then it’s referencing the pre-installed version of curl:Once you’ve identified whether you have curl installed, what version you’re using, and whether it’s the pre-installed version or a separate install, you’re equipped with all the information you need to update to the latest version. When it comes to the pre-installed version of curl, this is provided and managed by Microsoft and, therefore, can only safely be updated through a Windows Update published by Microsoft. You can check for an official update to Windows by clicking on your Start menu, typing “Windows Update,” and selecting the “Check for updates” option. This will open the Settings app and display the Windows Update view. There, you can click on the “Check for updates” button to retrieve any of the latest updates released from Microsoft, and one will likely include the patched version of curl.Outside of an official Windows Update, you do have some options to update to the latest version and use it instead of the pre-installed one. All of these options will involve modifying your PATH environment variables, so if you’re uncomfortable doing that, you should wait for an official Windows Update, as noted above.Installing a newer version of curl on Windows can be done in a few ways: Through a Windows package manager (like homebrew for macOS):Build it from sourceThe quickest and easiest way to install/update curl on Windows is with Winget.In your command prompt, run winget install curl.curl. This will install curl using the native winget packages directory and add it to your User Path environment variable for you. However, when you run curl --version, it will default to the pre-installed curl on your system and not the newly installed version. Find the curl value Winget added to your User Path variable and copy it. Then, add it to your System Path variable as a top priority (above “C:\Windows\system32”). It should look similar to the following:Once that’s done, go back to your Command Prompt and run refreshenv so it picks up your environment variable changes. When that completes, run curl --version to verify it is now using the latest installed version of curl that Winget installed for you.First, install Chocolatey if you don’t already have it. You can read more about doing this from Chocolatey’s documentation. After it’s installed and ready to use, you can run the following command from the Command Prompt/terminal as an Administrator:However, you’re not done yet. If you run curl --version, you’ll notice that it still reports as the previous/older version. To fix this, you need to update your system environment variables. Click on your Start menu, type Edit the system environment variables, and select the first option. Once the System Properties window opens, click the Environment Variables… button, which will open a new window titled Environment Variables. In this window, look for the System variables section and find the entry for Path under the Variable column.Click on the Edit… button to edit the value and find the entry for chocolatey as C:\ProgramData\chocolatey\bin. Select that entry and use the Move Up button to move it to the top of the list, then click OK.Now, back in your Command Prompt/terminal, enter refreshenv to update with the changes you made to your environment variables. After that, run curl --version again, and you should see the updated version is now being used. You can also run where curl to see the two installed instances of curl on your machine: the first should be your new version installation location, and the second should show the system installation location. You’re all set to start using the new version of curl now.If you run curl --version and determine that you're running a vulnerable version, you can update it on your system once the fixed version is available.Updating curl on Linux largely depends on which package manager your distribution is using, but these commands should give you an idea of how to proceed based on your distro. Generically, you'll probably want to tell the package manager to refresh the package index cache and then install a new version. Specifically, per distro, you would:For apt based distros, such as Debian or Ubuntu:For snap packages (primarily Ubuntu):For distros that use dnf, such as RHEL, Rocky, and Fedora:And for apk on Alpine:Note that getting an upgraded version would have a prerequisite of the various distros updating their package repositories. If, after running the appropriate command for your distribution, you run curl --version, and you don’t see the 8.4.0, check your path to be sure no other version is installed ahead of it. Alternatively, you can go to curl - Download to find a compiled binary for your platform.In the above example, a copy of the older version is at ~/bin/curl, and since that is in my path first, it’s picking it up. Remove the older version or take it out of your path to resolve.The latest build-from-source results in version 8.4.0-DEV. While there’s no guarantee that the latest code has the fix for the high vulnerability in it, if you’re comfortable with building from source, you will be able to get the absolute latest version first on October 11.In this section, we’ll look at building on an M1 Mac running MacOS Ventura. The developer team, led by Daniel Stenberg (badger on GitHub), has done a remarkable job of making curl easy to build on different OS’s.In the installation documentation, there’s a section on building and installing for Mac that worked out of the box for us. Note: You will need to have Xcode command line tools installed for this to work.I executed the following to build curl:I then confirmed the build with the following:You can then put this newly compiled curl in a local ~/bin dir or something earlier in your path than the default curl, until your distro/operating system provides an update. Once an update is available, we'd suggest adopting that and removing rogue copies in case of future vulnerabilities.Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse Maxi Contieri - Oct 12 Kenichiro Nakamura - Oct 12 Clayton Walker - Oct 12 Sloan the DEV Moderator - Oct 12 Automatically find and fix vulnerabilities in your code, open source, and containers. Once suspended, snyk will not be able to comment or publish posts until their suspension is removed. Once unsuspended, snyk will be able to comment and publish posts again. Once unpublished, all posts by snyk will become hidden and only accessible to themselves. If snyk is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to SnykSec. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag snyk: snyk consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging snyk will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.