CVE-2020-8285

Name of the Vulnerable Software and Affected Versions curl versions 7.21.0 through 7.73.0

Description The issue is related to uncontrolled recursion due to a stack overflow problem in FTP wildcard match parsing, which can lead to a Denial-Of-Service. This occurs when a callback set with CURLOPT CHUNK BGN FUNCTION returns CURL CHUNK BGN FUNC SKIP, causing the internal function to call itself recursively. If the callback returns "skip" enough times, libcurl runs out of stack space. The content of the remote directory is not kept on the stack, making it hard for an attacker to control exactly what data overwrites the stack. However, a malicious user who controls a server that a libcurl-using application works with can trigger a crash.

Recommendations For curl versions 7.21.0 through 7.73.0, update to a version that includes improved input validation to address the buffer overflow issue. As a temporary workaround, consider restricting access to the FTP wildcard match parsing functionality until a patch is available. Avoid using the CURLOPT CHUNK BGN FUNCTION callback with the CURL CHUNK BGN FUNC SKIP return value in the affected API endpoint until the issue is resolved.