In late 2022, Trail of Bits worked with OSTIF to assess cURL’s security, focusing on improving fuzzing code to increase line coverage and test more libcurl options, such as HSTS and Alt-Svc. By adding seed files, enabling CURLOPT_HSTS, and setting necessary environment variables, coverage for both significantly improved. They also identified opportunities for further coverage growth, like creating new seed files for various protocols. Suggestions for better efficacy included implementing dictionaries for different protocols, argv fuzzing for CLI vulnerabilities, and structure-aware fuzzing to enhance mutation and feedback. Further updates are expected in a 2023 follow-up.
https://blog.trailofbits.com/2024/03/01/toward-more-effective-curl-fuzzing/