By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
{
"binaries": [
{
"binary_name": "curl",
"binary_version": "8.18.0-1ubuntu2.2"
},
{
"binary_name": "libcurl3t64-gnutls",
"binary_version": "8.18.0-1ubuntu2.2"
},
{
"binary_name": "libcurl4t64",
"binary_version": "8.18.0-1ubuntu2.2"
}
],
"priority_reason": "Upstream defined this as low severity"
}