CVE-2023-23916

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.88.0

Description A flaw in the "chained" HTTP compression algorithms in curl allows a malicious server to insert a virtually unlimited number of compression steps by using many headers, potentially resulting in a denial of service condition due to excessive memory allocation. This could lead to curl spending enormous amounts of allocated heap memory or returning out of memory errors. The issue is related to the decompression chain, where the number of acceptable "links" was capped on a per-header basis, allowing for unlimited compression steps.

Recommendations For versions prior to 7.88.0, update to version 7.88.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the curl command with multiple compression algorithms to minimize the risk of exploitation. Avoid using the curl command with servers that use multiple headers for compression until the issue is resolved. At the moment, there is no other information about additional mitigation measures.