CVE-2023-38039

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.4.0

Description The issue is related to the handling of HTTP headers by the curl utility. When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. This can lead to a denial of service. A malicious server can exploit this issue, and it is estimated that a significant number of devices may be affected.

Recommendations For versions prior to 8.4.0, update to curl version 8.4.0 to resolve the issue. As a temporary workaround, consider restricting the size and quantity of HTTP headers accepted by curl to minimize the risk of exploitation.