CURL-CVE-2016-8625
- Source
- https://curl.se/docs/CVE-2016-8625.html
- Import Source
- https://curl.se/docs/CURL-CVE-2016-8625.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2016-8625
- Aliases
- Published
- 2016-11-02T08:00:00Z
- Modified
- 2025-11-12T00:50:45Z
- Summary
- IDNA 2003 makes curl use wrong host
- Details
-
When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard.
This misalignment causes problems with for example domains using the German ß character (known as the Unicode Character
LATIN SMALL LETTER SHARP S) which is used at times in the.deTLD and is translated differently in the two IDNA standards, leading to users potentially and unknowingly issuing network transfer requests to the wrong host.For example,
straße.deis translated intostrasse.deusing IDNA 2003 but is translated intoxn--strae-oqa.deusing IDNA 2008. Needless to say, those hostnames could well resolve to different addresses and be two completely independent servers. IDNA 2008 is mandatory for.dedomains.curl is not alone with this problem, as there is currently a big flux in the world of network user-agents about which IDNA version to support and use.
This name problem exists for DNS-using protocols in curl, but only when built to use libidn.
- Database specific
{ "package": "curl", "www": "https://curl.se/docs/CVE-2016-8625.html", "last_affected": "7.50.3", "URL": "https://curl.se/docs/CVE-2016-8625.json", "severity": "High", "affects": "both", "CWE": { "desc": "Inappropriate Encoding for Output Context", "id": "CWE-838" } }- References
-
- Credits
-
-
- Christian Heimes - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.12.0Fixed7.51.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "curl_version",
"file": "lib/version.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-22916ce9",
"digest": {
"function_hash": "174707309018740579847585398681361666454",
"length": 1818.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/url.c"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-22f8754c",
"digest": {
"line_hashes": [
"106940897945940263967681651881448855257",
"224488160554700619449532988931567203964",
"60750270840504114423546171229521216670",
"298007208585740018789356568677979232928",
"296606225063916437587263770504086735360",
"62900199437057870118399755726589580575",
"122551299612156071207198746895469961077",
"144099976039404157316371091961393731477",
"66751271439434682905219896855015665369",
"157815284444529977609475668713188290878",
"309125739369004304376955781393601866138",
"324000450922087974052788690887999305607",
"33925217263778598797535908837316171555",
"147007445759798186927401212848469372819",
"117265488726301465847420257900678750572",
"239942527546626596047193656593420923150",
"236020665165906940480717321785972499682",
"8604105010094428473221647047334637470",
"282256443532778423183732992357483822119",
"333314340030581266807199700106028052646",
"283519095321983707431608877643894824816",
"294215122729160706549973137903885638247",
"161495214916603931603616111531028049611",
"25135640974977968240981777904376222546",
"10552689394458749810967460969613694914",
"174915049832835750462089881168445565752",
"239906012544903045321187248537246509820",
"216135967756244221326184694439420891461",
"108517675442716300046349155519731743842",
"51519864449191512432357379353904191826",
"293782732941594426977708607879332640244",
"165563194166945537337889948717621525279",
"333334863327219688619373414422368649546",
"24390373080522249634500040340559210394",
"287248030817542618502577282721856665663",
"289202022179551851832623140854093070940",
"267787503231936274283865300195348380669",
"140637981720876131002509827078235251299",
"30348787857951223731770588132036727898",
"248009412624482433407571305146952352967",
"235178159688623216152403549235127809924",
"8545746994094101583926772304486926892",
"284951061695319933188985506753620676207",
"76830069563012839590267031317759512505",
"103894263447601482953594485391135223043",
"57073310203431144147786422192043456644",
"181065428705123721631625894304390777270",
"80879262536792066722646228300035457841",
"184914865177630377594351218661619057487",
"131209784950504652813594269636954659640",
"220320397425604547042160679334694311802",
"244891989539331607887375754714328573866",
"4882974987395688070512699448086822778",
"66009737159969283542365688506578496535",
"69864869891680462828267138635911205640",
"221935764194996374435512256862614964926",
"332705414063166836483579238260540468361",
"273656200090358574117510359412479537095",
"239229967520383279690072108423835064545",
"211034785792519465129981814258383218839",
"315935957348810459937184121997315885362",
"211633432065995115769326563563719916626",
"196397321600486593314860436525799679834",
"284714330458267238828627172749552970358",
"122566548638211469377023377004460364086",
"121639131181195574709024329931975588585",
"254545062050604992626040066953871620526",
"131429042537791155086645096967697290500",
"312931041103922441815218888643937905398",
"178566762246786001874454429807768248066",
"228209083930520838675114703718803227453",
"68315060903692389589546319494391532686",
"159968115524889923107770953949843270450",
"19475019811471883740395264094329146897",
"224032582449815835375802615237396904161",
"76013151997880805280481765997624901256",
"149212346911938931930957699715526174",
"248428533153162455058980715003209789277",
"39320095912504689254491073280258227060",
"273674276716969170611779894881398848775",
"163328463023362055283102266717479533251",
"54986620579111497791130347366224364811",
"314377425821850393294929277245510527724",
"142452628829358285695855973945609526378",
"177263933007676927610322569204610974711",
"206793510088701665538163557459098885919",
"119302723806996030941582083965243726394",
"83349471186095744340450971251426922338"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "curl_version_info",
"file": "lib/version.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-2d36634f",
"digest": {
"function_hash": "8224137302278049904787697911029847458",
"length": 1127.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "free_fixed_hostname",
"file": "lib/url.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-47f0c1f1",
"digest": {
"function_hash": "218157414627815975943895844684314524591",
"length": 276.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/easy.c"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-5dace70f",
"digest": {
"line_hashes": [
"178346760639395230677114141215138479730",
"92514211531754666209310300418718272740",
"297687927986317032242523210545522702846",
"269598123464451360721154267444726542112",
"233862290137993350484257721081712642736",
"163193343118312970757595433482307291237",
"164572580648006087463087281773281093324",
"324925140790876143553663415069562513446",
"81127827135526416579700444909592292534",
"260447364267161798488982642230370178155",
"242048229728988292374420514247100862205",
"211378814549810599707287423771694966322",
"200078792374692183658629107143251669351",
"298103307979614460275209770137999448011",
"125277390936039347487973487423265236722",
"328090928926682092979080053965885525613",
"331979036523829522690116641119143183828",
"250716793834477736672710575470577295457",
"76054306692410491737879603435831683013",
"262375895210773567962769995692447896554",
"201363071534120285332972747566967440458",
"171518422354236738419428829582084799770",
"142014206286026566778552900986080655307"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/version.c"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-70db4e08",
"digest": {
"line_hashes": [
"284235874481078054617351735415376782338",
"33142220432548756560304948522550550896",
"213792348622385919483969037146957464926",
"144182110449740891424009054307655782046",
"95498247698712307068901334476315162087",
"167772228006685471024967521469515039909",
"145028150220712457734838289666629871079",
"238893884445280986791220541254018453772",
"257014732661376201040409201126720195820",
"130977636227091256146437115813544105024",
"157088391711125666816236695525848460007",
"122500614675436533953189698183686671513",
"209429142826217991363065618912446397186",
"39823496755220543405143365978272927556",
"88366244247141401406993050355545908752",
"56548629672832729116724211869521285038"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "idna_init",
"file": "lib/easy.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-71281cbc",
"digest": {
"function_hash": "335717493846926478303003654248916604307",
"length": 235.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/strerror.c"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-7a294070",
"digest": {
"line_hashes": [
"329247926648802052241290660095680377239",
"1472959229266969191805437161599162041",
"324734342524636903955733107365673203101",
"291822660088739866274588488251207551455",
"24739328025516578637503288894359600133",
"185389710692878662607305115600983440888",
"134663362963790377001439498401543456834",
"100694170238719098737167691087541581679",
"24211920735205078117730512307674150319",
"160319323349602535565348421211845028349",
"245383140580955335688432618948541562408",
"239034110045223037314015597723716256249",
"143250701011028931986280997837314708946",
"263024226422903720467342800791246746259",
"334188970252521907803449080491923662199",
"43880254774290060562905499824127299587",
"225183040878008691486882475776939776004",
"191872213324000247080300810918357855132",
"157413206056456419128449764443972271016",
"171023339980020616080666446118139602304",
"168524767458176547708938431031518667305",
"118800066184642786171729882726850374635",
"328690288633462267301486597166324700892",
"273294471420538395315279804988609073179",
"334048632770114549890665066920679407218",
"67902105451158441519968676771948163980",
"304374708235075913973264869421092353581",
"43644193117185238510825628649641563897",
"336005362794817895409159983728810935601",
"212586116351014321165910127364318853758",
"117922196394398517964100260106552716555",
"169935763271104471564177357017281589363",
"232090777670187700737473344705634977541",
"157227431009934577794386298237620187818",
"261253230066531624734563972813498369212",
"303842060979394390023969693062558822019",
"210025770513544701108185352740526472536",
"136736042948365580579218819195025697614",
"307042520353155769282818876014560220326",
"236190414303849999340421653464879382549",
"69912978159481624123984151233177803604",
"5534645084554837387710648226103767044",
"261387854142075439095722680440316700037",
"253208791903915321343513424966430920608",
"72846585777661321745450114423157127237",
"219767626184243137757590965641914162132",
"309720034483755982015146196437946422462",
"100140769371689818365073003841340676308",
"158243714789215877917276699817100571489",
"150841405212356811712028618533996074622",
"175582642382737295705131183225434384247",
"263370395987459233888242471167842299888",
"328863968135984026639242251186948439623",
"36453259033188928718534741256499088104",
"121497379059091852585400663444488380543",
"10742768904463458086831220520597100062",
"177945593345078899157964381617766848649",
"65173939241312815406981894675569768977",
"124968947441902669789310674519097435342",
"138607000266540641389329296711927502879",
"299803611629543420201241012790149025062",
"276645058442744087481456078035456142936",
"157114327104045828455716291742272298677",
"113044942253259834386908455636229294681",
"73802316072166662585338782758910968504",
"148643417508131460604669066047054238346",
"43234821883197169746693716608273344698",
"243287555775683566926943510970668229258",
"142606261741529191910337354254194457135",
"124904938226802088577256688334654038967",
"163347706831398352533593792785679871063",
"90821527265462701879169151521373488018",
"327621207942027311826768659865547778756",
"111195992400352771018934814997831495725",
"94944453034706984746788340037538379956",
"322812130556646243320826610929262863406",
"1693490248469916777100476336181503340",
"252773358917783117816565403881200672797"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "Curl_idn_strerror",
"file": "lib/strerror.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-83ae749a",
"digest": {
"function_hash": "283972505964696467161665606429613169790",
"length": 1442.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/curl_setup.h"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-b0a871ba",
"digest": {
"line_hashes": [
"89981056729323208107644540964856378874",
"145043199987126059407156445575034399190",
"263344072972619151861600283188391105041",
"326070157056122830654798075520750102844"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "fix_hostname",
"file": "lib/url.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-d65b69ef",
"digest": {
"function_hash": "163590447899760112234252748201219611967",
"length": 1203.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "create_conn",
"file": "lib/url.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-ed96a5ae",
"digest": {
"function_hash": "164705252766334852033985086342671517397",
"length": 9573.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "tld_check_name",
"file": "lib/url.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-f57cd2da",
"digest": {
"function_hash": "101244559059502590250906969154261701223",
"length": 697.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"function": "global_init",
"file": "lib/easy.c"
},
"signature_type": "Function",
"id": "CURL-CVE-2016-8625-f7dd3934",
"digest": {
"function_hash": "171980070403381245404751961445082524011",
"length": 1441.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
"deprecated": false,
"target": {
"file": "lib/strerror.h"
},
"signature_type": "Line",
"id": "CURL-CVE-2016-8625-fc747ea3",
"digest": {
"line_hashes": [
"330878096391839067750528583489023678789",
"302828481496764205694326295209619364390",
"224867628573565401674693297208452602606",
"294602228532648439691806958133906809609"
],
"threshold": 0.9
}
}
]