CURL-CVE-2023-23916

Source
https://curl.se/docs/CVE-2023-23916.html
Import Source
https://curl.se/docs/CURL-CVE-2023-23916.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2023-23916
Aliases
Published
2023-02-15T08:00:00Z
Modified
2024-01-25T02:42:51.616583Z
Summary
HTTP multi-header compression denial of service
Details

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers.

The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

References
Credits
    • Patrick Monnerat - FINDER
    • Patrick Monnerat - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.57.0
Fixed
7.88.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0