CVE-2014-8150

Name of the Vulnerable Software and Affected Versions libcurl versions 6.0 through 7.x before 7.40.0

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL when using an HTTP proxy. This occurs because libcurl copies the entire URL into the request and sends it to the proxy, including any line feeds and carriage returns present in the URL. This can be exploited by malicious users to send additional requests or insert request headers that the program did not intend, particularly in programs that allow external sources to set or provide partial pieces for the URL.

Recommendations For libcurl versions 6.0 through 7.x before 7.40.0, update to version 7.40.0 or later to resolve the issue. As a temporary workaround, consider validating and stripping URLs of CRLF sequences before sending them to the proxy to minimize the risk of exploitation. Restrict access to the HTTP proxy to minimize the risk of malicious users injecting arbitrary HTTP headers.