CVE-2016-8625

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.51.0

Description The issue arises from curl's use of the outdated IDNA 2003 standard to handle International Domain Names, which may lead users to unknowingly issue network transfer requests to the wrong host. This is particularly problematic with domains using special characters, such as the German ß character, which is translated differently in IDNA 2003 and the modern IDNA 2008 standard. For instance, the domain straße.de is translated to strasse.de using IDNA 2003, but to xn--strae-oqa.de using IDNA 2008, potentially resolving to different addresses.

Recommendations For versions prior to 7.51.0, update to version 7.51.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of International Domain Names with special characters until the update is applied. Restrict access to DNS-using protocols in curl when built with libidn to minimize the risk of exploitation. Avoid using curl with libidn for domains that require IDNA 2008, such as .de domains, until the issue is resolved.