November 9, 2023

WordPress 6.4.1 fixes a serious bug in cURL/Requests

The 6.4 release of WordPress included a very serious bug that literally crashed most of the updated sites.

WordPress Error

WordPress contributors have been working hard over the last 24 hours to prepare the Maintenance release 6.4.1 after a critical bug emerged due to a change in the Requests library, causing problems with updates on servers running older versions of cURL.

Hosting companies including ours, have started reporting widespread impact of the bug.

#657 stops downloads from and many other sites when using Curl 7.29.0 (and maybe other versions) Error: RuntimeException: Could not get URL '': cURL error 28: Operation aborted after 10000 milliseconds with 807 on -1 bytes received. It also causes problems with the REST API in Site Health with the error: REST API response: (http_request_failed) cURL Error 28: Operation aborted after 10005 milliseconds with XXX out of XXX bytes received” It also prevents plugin and WordPress core updates, basically anything that relies on the internal Curl manager in WordPress. The issue became a top priority as it was unclear how it would be possible for users to receive an update.

Even if you fix this now, it prevents any future automatic upgrade to 6.4.1, as it breaks Curl requests, so the only way for people to upgrade would be manually, the longer you wait, the bigger the problem will become.

We found thousands of sites affected by the bug. The problem was beyond the capabilities of most users to fix manually, prompting hosts to figure out how to update their customers.

The bug was also reported to be causing potential issues with the Stripe API, WP-Admin, and performance.

Tiffany Bridge, product manager at Liquid Web/Nexcess, summarized how this issue emerged:

It seems that:

  • Someone reported a bug related to an interaction between their Intrusion Protection System and WordPress.
  • Next, they pushed their own patch to WordPress.
  • The project manager for that area asked the submitter to write tests, which he didn't do.
  • Then they merged the PR anyway, despite the lack of testing.
  • In the meantime, hosts will all need to roll back that change in our fleets so that our customers can still have little things like core and plugin updates if we're running an affected version of cURL. (7.29 confirmed, there may be more) WordPress core contributors will need to get to the bottom of how this bug was allowed, either through a post-mortem analysis or other discussion to prevent this from happening on a large scale in the future.

The WordPress 6.4.1 update updates the Requests library from version 2.0.8 to 2.0.9 as a fix release to mitigate the issue. Revert the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates were rolled out this evening to anyone with sites that support automatic background updates.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top