The maintainer and original author of curl, Daniel Stenberg, has taken to X (formerly Twitter) and LinkedIn to sound the alarm on what he refers to as “probably the worst security problem found in curl in a long time.”
According to project maintainers, the fixed version, 8.4.0, is set to be released on Wednesday, October 11. While we won’t know much detail about the vulnerability until the fix is released, the open source community and users of curl have been warned to take this issue seriously.
What we do know is that there are two vulnerabilities: one impacts both libcurl and curl (CVE-2023-38545) and is said to be the most severe, while the other impacts only libcurl (CVE-2023-38546) and is considered less severe.
cURL, which provides both libcurl and the curl command-line tool, is a popular open source library used to transfer data via URLs. As one of the most widely used open source projects, it is included in many standard Linux distributions and their container images. Its popularity is comparable to that of Apache Log4j, and based on our own data, Synopsys has thousands of customers who depend on it.
Announcing a vulnerability before making technical details or fixes available is done to give teams a head start in assessing their applications and environments for exposure, but this practice doesn’t come without risk. Despite having no additional details about the vulnerability, threat actors will undoubtedly begin exploit attempts. Additionally, it’s not unheard of for attackers to post bogus “fixed” versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software. Organizations need to work swiftly to assess the exposure of their company and customers before full vulnerability details are published, monitor their systems for indications of exploit attempts, and be vigilant as to where they get their patches and fixed versions of curl.
So what can your team do right now?