JLSEC-2025-32

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-32.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-32.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2025-32
Upstream
Published
2025-10-10T15:04:01.319Z
Modified
2025-11-03T00:04:46.662273Z
Summary
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handle...
Details

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

Database specific 
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "id": "CVE-2023-27537",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-27537",
            "published": "2023-03-30T20:15:07.617Z",
            "imported": "2025-10-10T14:33:22.322Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27537",
            "modified": "2024-11-21T07:53:07.407Z"
        }
    ]
}
References

Affected packages

Julia / LibCURL_jll

Package

Name
LibCURL_jll
Purl
pkg:julia/LibCURL_jll?uuid=deac9b47-8bc7-5906-a0fe-35ac56dc84c0

Affected ranges

Type
SEMVER
Events
Introduced
7.88.1+0
Fixed
8.0.1+0