CURL-CVE-2023-38039

Source

https://curl.se/docs/CVE-2023-38039.html

Import Source

https://curl.se/docs/CURL-CVE-2023-38039.json

Aliases

CVE-2023-38039

Published

2023-09-13T08:00:00Z

Modified

2024-01-25T02:42:52.277328Z

Summary

HTTP headers eat all memory

Details

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers to a client and eventually cause curl to run out of heap memory.

References

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.84.0

Fixed

8.3.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

4d94fac9f0d1dd02b8308291e4c47651142dc28b

Fixed

3ee79c1674fd6f99e8efca52cd7510e08b766770

Affected versions

7.*

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1