JLSEC-2025-37
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-37.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-37.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/JLSEC-2025-37
- Upstream
- Published
- 2025-10-10T15:04:01.319Z
- Modified
- 2025-11-03T00:04:54.250735Z
- Summary
- libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers puny...
- Details
-
libcurl's URL API function curlurlget() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.
This flaw can lead to stack contents accidently getting returned as part of the converted string.
- Database specific
{ "license": "CC-BY-4.0", "sources": [ { "imported": "2025-10-10T14:33:22.351Z", "published": "2024-07-24T08:15:03.413Z", "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6874", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-6874", "id": "CVE-2024-6874", "modified": "2024-11-21T09:50:26.493Z" } ] }- References