ASA-2019-00390 – curl: Windows OpenSSL engine code injection

Allele Security Alert



ASA-2019-00390, CVE-2019-5443


Windows OpenSSL engine code injection


the Curl Project



Affected version(s)

curl for windows before version 7.65.1_2

Fixed version(s)

curl for windows version 7.65.1_2

Proof of concept



A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl automatically run the code (as an openssl “engine”) on invocation. If that curl is invoked by a privileged user it can do anything it wants.

This flaw exists in the official curl-for-windows binaries built and hosted by the curl project (all versions up to and including 7.65.1_1). It does not exist in the curl executable shipped by Microsoft, bundled with Windows 10. It possibly exists in other curl builds for Windows too that uses OpenSSL.

Technical details

This bug sneaked in partly due to insecure default build options in OpenSSL when built cross-compiled and partly due to a misleading commit message in the curl commit that made it possible to disable this feature.

This bug does not exist in the curl or libcurl source code but in the scripts for the Windows build.


Rich Mirch


Windows OpenSSL engine code injection

curl: Windows OpenSSL engine code injection



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.