CVE-2023-38039

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.4.0

Description The issue is related to the handling of HTTP headers by the curl utility. When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. This can lead to a denial of service. A malicious server can exploit this issue, and it is estimated that a significant number of devices may be affected.

Recommendations For versions prior to 8.4.0, update to curl version 8.4.0 to resolve the issue. As a temporary workaround, consider restricting the size and quantity of HTTP headers accepted by curl to minimize the risk of exploitation.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALT-PU-2023-5709

ALT-PU-2023-5710

ALT-PU-2023-5711

ALT-PU-2023-5727

AZL-28833

AZL-29698

AZL-38341

BDU:2023-05819

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2023-38039

MGASA-2023-0263

OPENSUSE-SU-2023_3823-1

OPENSUSE-SU-2024:13230-1

RHSA-2023:7625

SUSE-SU-2023:3692-1

SUSE-SU-2023:3823-1

SUSE-SU-2023_3692-1

SUSE-SU-2023_3823-1

USN-6363-1

Affected Products

Alt Linux

Apple Macos

Red Os

Suse

Ubuntu

Windows

Curl

CVE-2023-38039

Weakness Enumeration

Related Identifiers

Affected Products

References · 347