By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
{
"priority_reason": "Upstream defined this as low severity",
"availability": "No subscription required",
"binaries": [
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "curl"
},
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "libcurl3t64-gnutls"
},
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "libcurl4t64"
}
]
}