CURL-CVE-2018-1000300

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-1000300.html

Import Source

https://curl.se/docs/CURL-CVE-2018-1000300.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2018-1000300

Aliases

CVE-2018-1000300

Published

2018-05-16T08:00:00Z

Modified

2026-05-18T13:46:05.231425Z

Summary

FTP shutdown response buffer overflow

Details

curl might overflow a heap based memory buffer when closing down an FTP connection with long server command replies.

When doing FTP transfers, curl keeps a spare "closure handle" around internally that is used when an FTP connection gets shut down since the original curl easy handle is then already removed.

FTP server response data that gets cached from the original transfer might then be larger than the default buffer size (16 KB) allocated in the "closure handle", which can lead to a buffer overwrite. The contents and size of that overwrite is controllable by the server.

This situation was detected by an assert() in the code, but that was of course only preventing bad stuff in debug builds. This bug is highly unlikely to trigger with non-malicious servers.

Database specific

{
    "affects": "both",
    "last_affected": "7.59.0",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2018-1000300.html",
    "severity": "High",
    "CWE": {
        "desc": "Heap-based Buffer Overflow",
        "id": "CWE-122"
    },
    "URL": "https://curl.se/docs/CVE-2018-1000300.json"
}

References

Credits

- Dario Weisser - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.54.1

Fixed

7.60.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e40e9d7f0decc799e3ccfe2c418632f8bb52031a

Fixed

583b42cb3b809b1bf597af160468ccba728c2248

Affected versions

7.*

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

Other

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/curl/curl.git/commit/583b42cb3b809b1bf597af160468ccba728c2248",
        "signature_version": "v1",
        "target": {
            "file": "lib/pingpong.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "229758711889692930654527470441779275027",
                "220322334328261129743823848021469509886",
                "296596693923419492886215170191994352530",
                "36235404738579012465951377492501113291"
            ],
            "threshold": 0.9
        },
        "id": "CURL-CVE-2018-1000300-0a45ae05"
    },
    {
        "source": "https://github.com/curl/curl.git/commit/583b42cb3b809b1bf597af160468ccba728c2248",
        "signature_version": "v1",
        "target": {
            "function": "Curl_pp_readresp",
            "file": "lib/pingpong.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3224.0,
            "function_hash": "213018455658973195550019192185324775648"
        },
        "id": "CURL-CVE-2018-1000300-80deae81"
    }
]

vanir_signatures_modified

"2026-05-18T13:46:05Z"

source

"https://curl.se/docs/CURL-CVE-2018-1000300.json"