CVE-2013-2174

Name of the Vulnerable Software and Affected Versions cURL versions 7.7 through 7.30.0 libcurl versions prior to 7.34.0

Description The issue is related to a heap-based buffer overflow in the curl easy unescape function, which can be exploited by remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted string ending in a "%" character. The function decodes URL encoded strings to raw binary data and can be vulnerable to heap corruption due to bad checking of input data. The estimated risk for exploiting this flaw is considered low, but it may be possible for specific circumstances.

Recommendations For cURL versions 7.7 through 7.30.0, update to a version later than 7.30.0 to resolve the issue. For libcurl versions prior to 7.34.0, update to version 7.34.0 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of the curl easy unescape function until a patch is available.