CURL fixes severe heap overflow vulnerability

The developers of cURL have released version 8.4.0 of the tool. This contains a fix for a vulnerability that affected both cURL and libcurl. Lead developer Daniel Stenberg called the vulnerability “the worst security issue for the tool in a while.”

The developers announced last week already indicated that the tool was affected by two vulnerabilities. One of these had a Low risk classification, but the other is classified as Very serious. The developers did not want to provide details at the time because of the risk that the vulnerabilities would be exploited. Now writes Stenberg that in the worst case it is a heap overflow exploit, referred to as CVE-2023-38545. This issue affected both the commandline tool and the associated libcurl library. CURL is a commonly used tool to enable data transfer between different protocols and, for example, to retrieve information from websites via the CLI.

To exploit the vulnerability, an attacker would have to enter a host name that is too long, according to Stenberg. According to him, a regular hostname in DNS can be 253 bytes, while libcurl’s URL parser accepts up to 65,535 bytes. Therefore, in practice it would not actually happen that a host name that is so long would be entered that a heap overflow would be triggered.

The bug is in libcurl between versions 7.69.0 and 8.3.0. Older versions and versions from now released 8.4.0 are not vulnerable. The bug has been in the tool for years, but it is not known whether it has ever been actively exploited there.