GHSA-3vpc-4p9p-47hc

Suggest an improvement
Source
https://github.com/advisories/GHSA-3vpc-4p9p-47hc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-3vpc-4p9p-47hc/GHSA-3vpc-4p9p-47hc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3vpc-4p9p-47hc
Published
2024-10-22T18:15:17Z
Modified
2024-10-22T18:53:30.645632Z
Summary
curl_cffi bundles a version of libcurl affected by High Severity vulnerability
Details

Summary

curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0

Details

HIGH severity vulnerability in curl and libcurl: announcement Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0

PoC

https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curlcffi-0.5.10b2-cp37-abi3-manylinux217aarch64.manylinux2014aarch64.whl/curlcffi/include/curl/curlver.h

Resolution

Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.

References

Affected packages

PyPI / curl-cffi

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.0b6

Affected versions

0.*

0.1.5
0.2.0
0.2.1
0.2.4
0.2.5
0.3.0
0.3.1
0.3.2
0.3.7
0.3.8
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.9b1
0.5.9b2
0.5.9b3
0.5.9b4
0.5.9b5
0.5.9b6
0.5.9
0.5.10b1
0.5.10b2
0.5.10b3
0.5.10b4
0.5.10b5
0.5.10
0.6.0b2
0.6.0b4
0.6.0b7
0.6.0b9
0.6.0
0.6.1
0.6.2
0.6.3b1
0.6.3
0.6.4
0.7.0b4

Database specific

{
    "last_known_affected_version_range": "<= 0.6.4"
}