CURL-CVE-2017-8817

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2017-8817.html
Import Source
https://curl.se/docs/CURL-CVE-2017-8817.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2017-8817
Aliases
Published
2017-11-29T08:00:00Z
Modified
2026-05-27T02:29:38.182923Z
Summary
FTP wildcard out of bounds read
Details

libcurl contains a read out of bounds flaw in the FTP wildcard function.

libcurl's FTP wildcard matching feature, which is enabled with the CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket ([) but instead it continues reading the heap beyond the end of the URL buffer that holds the wildcard.

For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.

Database specific 
{
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2017-8817.html",
    "CWE": {
        "id": "CWE-126",
        "desc": "Buffer Over-read"
    },
    "URL": "https://curl.se/docs/CVE-2017-8817.json",
    "affects": "lib",
    "package": "curl",
    "last_affected": "7.56.1"
}
References
Credits
    • OSS-Fuzz - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER
    • Max Dymond - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.21.0
Fixed
7.57.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34
Fixed
0b664ba968437715819bfe4c7ada5679d16ebbc3

Affected versions

7.*
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
Other
curl-7_21_0
curl-7_21_1
curl-7_21_2
curl-7_21_3
curl-7_21_4
curl-7_21_5
curl-7_21_6
curl-7_21_7
curl-7_22_0
curl-7_23_0
curl-7_23_1
curl-7_24_0
curl-7_25_0
curl-7_26_0
curl-7_27_0
curl-7_28_0
curl-7_28_1
curl-7_29_0
curl-7_30_0
curl-7_31_0
curl-7_32_0
curl-7_33_0
curl-7_34_0
curl-7_35_0
curl-7_36_0
curl-7_37_0
curl-7_37_1
curl-7_38_0
curl-7_39_0
curl-7_40_0
curl-7_41_0
curl-7_42_0
curl-7_42_1
curl-7_43_0
curl-7_44_0
curl-7_45_0
curl-7_46_0
curl-7_47_0
curl-7_47_1
curl-7_48_0
curl-7_49_0
curl-7_49_1
curl-7_50_0
curl-7_50_1
curl-7_50_2
curl-7_50_3
curl-7_51_0
curl-7_52_0
curl-7_52_1
curl-7_53_0
curl-7_53_1
curl-7_54_0
curl-7_54_1
curl-7_55_0
curl-7_55_1
curl-7_56_0
curl-7_56_1

Database specific

source 
"https://curl.se/docs/CURL-CVE-2017-8817.json"
vanir_signatures_modified 
"2026-05-27T02:29:38Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3",
        "digest": {
            "function_hash": "298730692469968009547611169481388207515",
            "length": 3087.0
        },
        "id": "CURL-CVE-2017-8817-3cb6c8a3",
        "deprecated": false,
        "target": {
            "file": "lib/curl_fnmatch.c",
            "function": "setcharset"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "43638997033928459303008351357338518954",
                "72117958863879997296837069229487845669",
                "87990833645405497784466668675550885192",
                "70532905449980031218253424071052354014",
                "196123198438245594349999131572128817069",
                "289576857934881939227353208159133267347",
                "254514581051275152626574631772189928653",
                "191938046197527947869981402332997201997",
                "226509738433068435122098405911222762166",
                "260525894796949816519744561563026002894",
                "305062054971634091161692411070839960392",
                "72411786785477790301492798861538378260",
                "254514581051275152626574631772189928653",
                "13626872940613937908214377755250866971",
                "57469848601474742856855797613017056106",
                "287124871154724278255153040078259555956"
            ]
        },
        "id": "CURL-CVE-2017-8817-fa729cca",
        "deprecated": false,
        "target": {
            "file": "lib/curl_fnmatch.c"
        }
    }
]