CURL-CVE-2020-8231

Source
https://curl.se/docs/CVE-2020-8231.html
Import Source
https://curl.se/docs/CURL-CVE-2020-8231.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2020-8231
Aliases
Published
2020-08-19T08:00:00Z
Modified
2026-05-27T02:29:36.411772Z
Summary
wrong connect-only connection
Details

An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl picks and uses the wrong connection - and instead picks another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.

If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.

If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.

The application could then accidentally send data over that connection which was not at all intended for that recipient, entirely unknowingly.

Database specific
{
    "award": {
        "currency": "USD",
        "amount": "500"
    },
    "severity": "Low",
    "CWE": {
        "desc": "Expired Pointer Dereference",
        "id": "CWE-825"
    },
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2020-8231.html",
    "URL": "https://curl.se/docs/CVE-2020-8231.json",
    "issue": "https://hackerone.com/reports/948876",
    "last_affected": "7.71.1",
    "affects": "lib"
}
References
Credits
    • Marc Aldorasi - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.29.0
Fixed
7.72.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
Other
curl-7_29_0
curl-7_30_0
curl-7_31_0
curl-7_32_0
curl-7_33_0
curl-7_34_0
curl-7_35_0
curl-7_36_0
curl-7_37_0
curl-7_37_1
curl-7_38_0
curl-7_39_0
curl-7_40_0
curl-7_41_0
curl-7_42_0
curl-7_42_1
curl-7_43_0
curl-7_44_0
curl-7_45_0
curl-7_46_0
curl-7_47_0
curl-7_47_1
curl-7_48_0
curl-7_49_0
curl-7_49_1
curl-7_50_0
curl-7_50_1
curl-7_50_2
curl-7_50_3
curl-7_51_0
curl-7_52_0
curl-7_52_1
curl-7_53_0
curl-7_53_1
curl-7_54_0
curl-7_54_1
curl-7_55_0
curl-7_55_1
curl-7_56_0
curl-7_56_1
curl-7_57_0
curl-7_58_0
curl-7_59_0
curl-7_60_0
curl-7_61_0
curl-7_61_1
curl-7_62_0
curl-7_63_0
curl-7_64_0
curl-7_64_1
curl-7_65_0
curl-7_65_1
curl-7_65_2
curl-7_65_3
curl-7_66_0
curl-7_67_0
curl-7_68_0
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1

Database specific

vanir_signatures
[
    {
        "id": "CURL-CVE-2020-8231-2950ad04",
        "target": {
            "function": "multi_done",
            "file": "lib/multi.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "331532023541576969066354937791485298954",
            "length": 2619.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-2a175745",
        "target": {
            "function": "close_connect_only",
            "file": "lib/multi.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "336232748145660464196652415900066280968",
            "length": 353.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-37918d85",
        "target": {
            "file": "lib/multi.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "287261581511692746697467587568259406919",
                "330307450929073656592182909749199200074",
                "200122141504599864737522434505514401848",
                "143810138740833827476819814566029427838",
                "325728315536925732734760454072986000299",
                "195982891181755037826491072533288204908",
                "203219816339541804370302668232471101066",
                "205411479678198486793481568748306266774",
                "332172947211345127819047463119605689359",
                "194207613772913796296754096752271960620",
                "147350327373634146702388130138223785703",
                "140014613041602768142617760438377002458",
                "50555384415255251160852135476286649567",
                "249787048824144233676320851955855945987",
                "308407380196191456966966459940101249899",
                "26163884033974221510074896428562588429",
                "211805331002107940557430623218206200622",
                "113407281645460601247696661015910509891",
                "241060754058524444738593660298928519106",
                "198493469547032561671879772044117695774"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-37aede7a",
        "target": {
            "function": "curl_multi_remove_handle",
            "file": "lib/multi.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "219110263340513938585696564425421127805",
            "length": 2046.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-3da66c1d",
        "target": {
            "file": "lib/easy.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "278007632680107853289767407232391867446",
                "60140081460787175943580165326092571895",
                "99749531831187643730365824096800452493",
                "218917902494987031849008760141326680399"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-43842e8d",
        "target": {
            "function": "conn_is_conn",
            "file": "lib/connect.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "256472554190833573102511654204815576098",
            "length": 171.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-7250f556",
        "target": {
            "file": "lib/connect.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "301325607868354164653987579561834051422",
                "190634849795658500907137562091707125032",
                "12005318164823129577733800796267178864",
                "325795034586487709057588494659098597851",
                "138749291965541201593416220808290282314",
                "133115673174770329623976411366002814087",
                "127974960267971513158213871704989145469",
                "187430127347766493785938634174552247920",
                "294666742308562297287360450363690417463",
                "203058159259733901101641831162723808762",
                "196206757982637083740595216708092312545",
                "334278486111345991291149590667734676702",
                "270912373901412973517769671633265342744",
                "177181986986087515804541002895751024502",
                "14126900827460759162517403971236314328",
                "133526994153519951232866096486875618458",
                "208989963406635733993492214992145175073",
                "202003640325827028794828538853600351285",
                "199481293653130318420625684971591437338",
                "58098388954325525495625477543038833698",
                "147039395182743398927875067662206140273",
                "148073327178436679302596663404441701973",
                "30727031327844870267663915141229498969",
                "82988344674134055256419474278209659133",
                "266991595062728214149608807782863741332",
                "286968424128905149277396073652291848849"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-8f9fe2d3",
        "target": {
            "function": "curl_easy_duphandle",
            "file": "lib/easy.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "108592384174746325776209341403276204677",
            "length": 2323.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-95d4144e",
        "target": {
            "function": "Curl_open",
            "file": "lib/url.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "160857362762811412603034174817854630441",
            "length": 869.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-a3deb9ab",
        "target": {
            "file": "lib/urldata.h"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "6881081518923518153661935829438944659",
                "163985820251913200978165944119069851718",
                "228951787405907423456616379934979059192",
                "300505850918184442302647193539469637320"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-bb72adcb",
        "target": {
            "function": "Curl_getconnectinfo",
            "file": "lib/connect.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "33896251005890629383700811105288268468",
            "length": 633.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-f1fd5715",
        "target": {
            "function": "curl_multi_add_handle",
            "file": "lib/multi.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Function",
        "digest": {
            "function_hash": "227318844798903670205928868533163934671",
            "length": 1843.0
        },
        "deprecated": false
    },
    {
        "id": "CURL-CVE-2020-8231-f427365a",
        "target": {
            "file": "lib/url.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "295982506423678795644475255212939790562",
                "306963185386791199557191351242136339906",
                "224444913639142649228879165355852762960",
                "173475490722543123994711983632772952497"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]
source
"https://curl.se/docs/CURL-CVE-2020-8231.json"
vanir_signatures_modified
"2026-05-27T02:29:36Z"