Curl_multi_exec() has been disabled for security reasons


I installed Grav for the first time (from the zip file of a skeleton) on my usual hosting, and I was very pleased to see that all the checks were successful (“PHP Modules: All modules look good!”, “Essential Folders: All folders look good!”, …).

Unfortunately, for every page I visit in the admin interface, I see the following message (in a red popup):

curl_multi_exec() has been disabled for security reasons

I checked the my PHP setting and actually my hosting disabled this PHP module (it is in the “disable_functions” section).
Therefore, I asked them to enable it but they told me that they cannot do this due to some security vulnerability since this is a “shared hosting”.

However, I do not see this as a strict requirement for Grav in the documentation.
Can you tell me if it can work also without this module?

Is there a way to fix this problem? (perhaps some settings that I can change?)


@DaniloP, A bit of research tells me that curl_multi_exec() is being referenced by vendor library CodeMirror, which is a Javascript based text editor and probably used for Markdown. Only Admin makes use of it.

It seems you have a few options:

  • Choose a different hoster.
    I haven’t seen anyone bumping into this issue in over 3 years…
  • Don’t use Admin
  • You may test your luck and see if there is a plugin that allow you to use a different editor like e.g. TinyMCE.

@pamtbaau Thank you for your quick answer.

Unfortunately, the site will be managed by “not-expert” people, and they will really need a “nice” user-interface.

I tried with different editors but the problem is still there and it is still causing problems.
These are some of the problems that I believe are due to this missing module (because locally they seem to work properly):

  • in the Dashboard page, the Notifications component keeps loading something forever (there is always the “spinning wheel”)
  • in the Dashboard page, the “News Feed” component contains a “warning sign” and the following text curl_multi_exec() has been disabled for security reasons
  • when I click the Add button in the Plugins page, it loads the “Available Plugins” page but I do not see any plugin and I get the message The connection to the GPM cannot be established
  • In the Site tab of the Configuration page, if I try to save (even without modifying anything), I get a “Forbidden” error (403). This does not happen in the other tabs (for instance, in System)
  • … (let me know if you want more, but I think these are enough to support my following question)

Do you know if this PHP module is used somewhere else?


@DaniloP, After an another view, my previous answer appears to be less than “accurate”… The search I performed excluded the ‘/vendor’ folder by default. :man_facepalming:

curl_multi_exec is being called by:

  • /vendor/symfony/http-client/Response/CurlResponse.php
  • /vendor/symfony/http-client/CurlHttpClient.php (2x)

Also, the changelog says:

# v1.7.0-rc.10

## 04/30/2020

1. [](#new)

    * Changed `Response::get()` used by **GPM/Admin** to use [Symfony HttpClient v4.4]( (`composer install --nodev` required for Git installations)

It seems to me that curl_multi_exec is quite inevitable…

@pamtbaau thank you for checking this.

It seems that I need to change my hosting provider…

Probably this should be added to the “requirements”.

Thank you very much for your help.