CURL-CVE-2023-38039
- Source
- https://curl.se/docs/CVE-2023-38039.html
- Import Source
- https://curl.se/docs/CURL-CVE-2023-38039.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2023-38039
- Aliases
- Published
- 2023-09-13T08:00:00Z
- Modified
- 2025-05-15T17:48:29Z
- Summary
- HTTP headers eat all memory
- Details
-
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.
However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers to a client and eventually cause curl to run out of heap memory.
- Database specific
{ "affects": "both", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "2540", "currency": "USD" }, "www": "https://curl.se/docs/CVE-2023-38039.html", "URL": "https://curl.se/docs/CVE-2023-38039.json", "last_affected": "8.2.1", "package": "curl", "issue": "https://hackerone.com/reports/2072338", "severity": "Medium" }- References
-
- Credits
-
-
- selmelc on hackerone - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.84.0Fixed8.3.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CURL-CVE-2023-38039-0087437c",
"digest": {
"function_hash": "217856162028945208227756944370592861754",
"length": 3174.0
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"function": "recv_CONNECT_resp",
"file": "lib/cf-h1-proxy.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-09e76412",
"digest": {
"threshold": 0.9,
"line_hashes": [
"266152777201181161272238381333752983590",
"226473907641945019129741068348208069936",
"39871203441645995248018875017125996466",
"236964077332353526136694381681811420344",
"261668016666241600746096543686176329414",
"339397223176748758535340556174729444807"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/http.h"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-193ef3c9",
"digest": {
"threshold": 0.9,
"line_hashes": [
"161386987300584230110239495379033515094",
"276739193331066840851545064172186791946",
"295266772483880254439657484762448042109",
"241559128329541869971716858373461861109"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/pingpong.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CURL-CVE-2023-38039-301361bc",
"digest": {
"function_hash": "25634036898079910527776213607333032878",
"length": 3294.0
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"function": "Curl_pp_readresp",
"file": "lib/pingpong.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CURL-CVE-2023-38039-4a33a999",
"digest": {
"function_hash": "289959481106961110124566541848340602002",
"length": 10879.0
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"function": "Curl_http_readwrite_headers",
"file": "lib/http.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-4d1fcab4",
"digest": {
"threshold": 0.9,
"line_hashes": [
"153727179836068403278834459333255590585",
"161266886895214736959679432404959264782",
"158130729943200810335777424393268167007",
"167426758231598823047941510916722955474",
"221484565741061934679677783522154989559",
"81159150846839355279884534814109881053",
"202255363867029659057468693041804297249",
"241517222621887440328607978574233274593",
"257455479635308348040612387521814965935",
"162519920507744553024559035020664320316",
"288791198034856157556009118927148921569",
"85605736625292568684304881600898198149",
"108082863928655992355057425793722645123"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/http.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CURL-CVE-2023-38039-5462c446",
"digest": {
"function_hash": "62084057502864989608029726650223554524",
"length": 1394.0
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"function": "status_line",
"file": "lib/c-hyper.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-a801610f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"220214788420117660170330431646210929388",
"51233553473512347557797855110715217207",
"177930723961363986156720965672153511623",
"197985206780942310300217187130764166589",
"52249314844344248395005052265711245327",
"55517291530950294093044223647673042525",
"122591086740016198932181046968842410238",
"151000370705716657977071868381323362261",
"172699081279152655782293143818736289698",
"294226765416467911030868254452527776021",
"270080647168348232992635788056668549849"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/c-hyper.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-a8de1ff7",
"digest": {
"threshold": 0.9,
"line_hashes": [
"114382137874919521338056168958940599379",
"32851204865726977051130315551742950373",
"234179250335772845966467765143701154112",
"58127195273346064729648054396158639453",
"181588827708254929671772670255527503355",
"252327653159680848636033877472677796162",
"87159290581569205702567292966104783771",
"78564278415356618316200196977230377388",
"240989178496983064324525034049345982246",
"63782540846623863278005710349225626704",
"201615245760757934877771637599845418560",
"61545082602412916904806631104826904709",
"115468048476202356188814307203981168298",
"49583577813772729421441846660222582793",
"54864908772453354653294499457288395575"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/urldata.h"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CURL-CVE-2023-38039-b030bf63",
"digest": {
"function_hash": "44028677973125743973219208999173054567",
"length": 1559.0
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"function": "hyper_each_header",
"file": "lib/c-hyper.c"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CURL-CVE-2023-38039-c3f8f479",
"digest": {
"threshold": 0.9,
"line_hashes": [
"190667180303681933230166742630931409265",
"140154736915609618466265130274956444378",
"340234524266739023559996464902571359952",
"46978815267586723746418814720087148698"
]
},
"source": "https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770",
"target": {
"file": "lib/cf-h1-proxy.c"
},
"deprecated": false
}
]