The first and more severe vulnerability, CVE-2023-38545, addresses a buffer overflow flaw that impacts both libcurl and the curl command line tool. The overflow can occur during a SOCKS5 handshake. If the handshake is slow, a user-supplied, unusually long hostname may not be resolved, and instead be copied into a target buffer for which it may exceed the allocated size. Heap-based buffer overflows such as these are known to lead to crashes, data corruption, and even arbitrary code execution.
This vulnerability impacts only applications that are instrumenting client/server communication using the SOCKS internet protocol. Although use of SOCKS is not unheard of or even rare, this condition does significantly reduce the impact of the vulnerability across the countless internet-connected devices that depend on curl.
CVE-2023-38545 impacts curl versions 7.69.0 through and including 8.3.0. The version released today, 8.4.0, completely addresses the risk of a buffer overflow by returning an error when a hostname exceeds 255 bytes, which is the specific trigger of the overflow. Curl is urging teams to upgrade immediately, especially if they do not already have hostname restrictions in place. For teams that cannot immediately upgrade to the fixed version, curl suggests some workarounds.
We’ve provided more details regarding the vulnerability and exploit conditions below.