CVE-2023-38545

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions

curl versions 7.82.0 through 8.4.0 libcurl versions 7.82.0 through 8.4.0 MySQL versions 5.7.43 and earlier, 8.0.34 and earlier, 8.1.0 and earlier

Description

curl and libcurl are vulnerable to a heap buffer overflow in the SOCKS5 proxy handshake. This occurs when curl is configured to use a SOCKS5 proxy to resolve hostnames. If the hostname is longer than 255 bytes, curl may switch to local name resolving and incorrectly copy the oversized hostname into a buffer, leading to a potential crash or remote code execution. The vulnerability also affects MySQL versions 5.7.43 and earlier, 8.0.34 and earlier, and 8.1.0 and earlier.

Recommendations

Upgrade curl to version 8.4.0 or later. Upgrade libcurl to version 8.4.0 or later. Upgrade MySQL to a version later than 8.1.0. If unable to upgrade, consider disabling the use of SOCKS5 proxies with curl.

Exploit

Fix

RCE

DoS

Memory Corruption

Heap Based Buffer Overflow

Improper Certificate Validation

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-122CWE-295CWE-119

Related Identifiers

ALSA-2022_5818

ALSA-2022_6224

ALSA-2023:5763

ALSA-2023:6745

ALSA-2023_0333

ALSA-2023_0946

ALSA-2023_1405

ALSA-2023_2165

ALSA-2023_2621

ALSA-2023_2932

ALSA-2023_3087

ALSA-2023_3722

ALSA-2023_5763

ALSA-2023_6330

ALSA-2023_6745

ALSA-2024_0894

ALSA-2024_1141

ALSA-2024_1601

ALSA-2025_0739

ALSA-2025_0914

ALSA-2025_16880

ALT-PU-2023-6259

ALT-PU-2023-6261

ALT-PU-2023-6409

ALT-PU-2023-6453

ALT-PU-2023-7324

ALT-PU-2023-7463

ALT-PU-2023-7647

ALT-PU-2023-7888

AZL-31288

AZL-31501

AZL-34612

AZL-37886

BDU:2023-06576

BDU:2023-07245

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2023-38545

DSA-5523-1

ELSA-2023-5763

ELSA-2023-6745

JLSEC-2025-34

MGASA-2023-0288

OESA-2023-1762

OESA-2024-2071

OESA-2024-2072

OPENSUSE-SU-2023_4044-1

OPENSUSE-SU-2024:13325-1

OPENSUSE-SU-2024:13461-1

OPENSUSE-SU-2024:13464-1

OPENSUSE-SU-2024:14085-1

RHSA-2023:5700

RHSA-2023:5763

RHSA-2023:6745

RHSA-2023:7625

RHSA-2023_5763

RHSA-2023_6745

RHSA-2024:0797

RHSA-2024:2011

RLSA-2023:5763

ROSA-SA-2024-2379

SUSE-SU-2023:4043-1

SUSE-SU-2023:4044-1

SUSE-SU-2023_4043-1

SUSE-SU-2023_4044-1

USN-6429-1

USN-6429-3

Affected Products

Alt Linux

Almalinux

Fortios

Ibm Aix

Linuxmint

Apple Macos

Mysql Server

Red Hat

Red Os

Suse

Ubuntu

Windows

Curl

CVE-2023-38545

Weakness Enumeration

Related Identifiers

Affected Products

References · 698