What’s New in cURL 8.16? Key Features, Security Fixes, and Performance Boosts

Some numbers

Version 270 release

17 changes

56 days (total: 10,036)

260 error fixes (total: 12,538)

453 commits (total: 36,025)

2 new public libcurl functions (total: 98)

0 new curl_easy_setopt() options (total: 308)

3 new curl command‑line options (total: 272)

76 contributors, 39 newcomers (total: 3,499)

32 authors, 17 newcomers (total: 1,410)

2 security fixes (total: 169)

Security

Two low‑severity vulnerabilities were fixed:

CVE-2025-9086 – https://curl.se/docs/CVE-2025-9086.html – a bug in the cookie path handling that could allow a non‑secure cookie to overwrite a secure one.

CVE-2025-10148 – https://curl.se/docs/CVE-2025-10148.html – a WebSocket implementation error that prevented proper updating of the frame mask for each outgoing frame.

What changed

This release adds several new features and options:

New command‑line option --follow New command‑line option --out-null New option --parallel-max-host to limit concurrent connections per host

Support for decimal seconds in --retry-delay and --retry-max-time Long‑option syntax --longopt=value now supported -w now supports %time{} libcurl now caches negative name resolutions

Increased minimum mbedTLS version to 3.2.0

Added curl_multi_get_offt() for multi‑handle information

Added CURLMOPT_NETWORK_CHANGED to signal network changes

Environment variable NETRC handling improvements

Minimum mingw‑w64 version raised to v3.0

SMTP now accepts RFC 3461 suffixes after email addresses

Default TLS version is now at least 1.2

Dropped support for msh3

WebSocket now supports

CURLOPT_READFUNCTION

Bug fixes

More than 250 bugs were fixed in this cycle; details are listed in the changelog.

Operations teams should consider upgrading to this version.

See the changelog for full details: https://curl.se/ch/