CURL-CVE-2024-2004

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2024-2004.html

Import Source

https://curl.se/docs/CURL-CVE-2024-2004.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2024-2004

Aliases

CVE-2024-2004

Published

2024-03-27T08:00:00Z

Modified

2026-05-29T05:40:28.074222Z

Summary

Usage of disabled protocol

Details

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled.

curl --proto -all,-http http://curl.se

The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Database specific

{
    "severity": "Low",
    "award": {
        "amount": "540",
        "currency": "USD"
    },
    "affects": "both",
    "issue": "https://hackerone.com/reports/2384833",
    "CWE": {
        "id": "CWE-115",
        "desc": "Misinterpretation of Input"
    },
    "URL": "https://curl.se/docs/CVE-2024-2004.json",
    "last_affected": "8.6.0",
    "www": "https://curl.se/docs/CVE-2024-2004.html",
    "package": "curl"
}

References

Credits

- Dan Fandrich - FINDER
- Daniel Gustafsson - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.85.0

Fixed

8.7.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e6f8445edef8e7996d1cfb141d6df184efef972c

Fixed

17d302e56221f5040092db77d4f85086e8a20e0e

Affected versions

7.*

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

Other

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

tiny-curl-8_4_0

Database specific

vanir_signatures_modified

"2026-05-29T05:40:28Z"

vanir_signatures

[
    {
        "digest": {
            "function_hash": "263242573932328283999651086202567972618",
            "length": 596.0
        },
        "signature_version": "v1",
        "id": "CURL-CVE-2024-2004-9cf2e21f",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/setopt.c",
            "function": "protocol2num"
        },
        "source": "https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e"
    },
    {
        "digest": {
            "line_hashes": [
                "146775005194302234180871574532588634564",
                "80774664900874679466631972198617203437",
                "86560868041181873753741543273752203153",
                "109635461924336694993478269644761368576",
                "39663110126223588880452705360058635771",
                "102598405752472213421951089163281066316",
                "157504417133305387864513172521483805914",
                "145541974102060752112997255455914659047",
                "55260926967184544494570742347233254077",
                "309192183229697118771568187270845002502",
                "207866583364123580529107003148224483591",
                "279198607381022972964908451529542064687",
                "204952814017326855018165074809916426516",
                "218132813899329869962711050077308818148",
                "97319856121381203335677480056430916413",
                "2797198658783848953219211360631403037",
                "2798885337662632170976809274065866810",
                "285306478552654161847997198384499473828",
                "101086623269084607372318015532336010479",
                "84026534629191629047935736214357629521",
                "279198607381022972964908451529542064687",
                "204952814017326855018165074809916426516",
                "187026923012455286014531231840419879013",
                "284912050998252905552411915627914736924",
                "66657897627182812001308922601052818508",
                "883451548261387060813125014860668010"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CURL-CVE-2024-2004-db5ae2c3",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/setopt.c"
        },
        "source": "https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e"
    },
    {
        "digest": {
            "function_hash": "339673796738820965873681585057018251270",
            "length": 58066.0
        },
        "signature_version": "v1",
        "id": "CURL-CVE-2024-2004-fee4b627",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/setopt.c",
            "function": "Curl_vsetopt"
        },
        "source": "https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e"
    }
]

source

"https://curl.se/docs/CURL-CVE-2024-2004.json"