So unless Apple has some patches on top of that, as curl's website says, there are 22 vulns. in that 2.5 yo version.[1]
That version of bash is from about when the copyright indicates, i.e., 14 years ago. Thankfully there probably isn't a good exploit path for bash that doesn't already involve one being able to run code, but still, as a dev, it'd be nice to get a more recent version.
Subsequent versions of bash are GPLv3 “encumbered”. Apple as an organisation have decided that the best way to avoid potential licensing issues with GPLv3 is to avoid GPLv3, which appears to be part of the intent of GPLv3. Tell me, who is hurting consumers of software? I will accept that Apple is partly to blame - they could be, and should be more open and perhaps contribute more, or at least follow Google’s lead and use it as marketing. But the GPLv3 is a burdensome license that even the star of the movement has rejected. That is holding back OSS as much as anything else. Making it commercially hard to use the software isn’t helping adoption or contributions.
That version of bash is from about when the copyright indicates, i.e., 14 years ago. Thankfully there probably isn't a good exploit path for bash that doesn't already involve one being able to run code, but still, as a dev, it'd be nice to get a more recent version.
[1]: https://curl.se/docs/releases.html