curl / Docs / curl CVEs / fopen race condition
Awarded 2400 USD


fopen race condition

Project curl Security Advisory, July 19 2023 - Permalink


As of August 2023, the curl security team has retracted this issue and we no longer consider this a curl security flaw. This race condition is a potential issue for users, but one that cannot easily be avoided or fixed for users who insist in creating and storing sensitive files in the same directory where curl saves files - in a multi-user system.

For the sake of history, we keep the advisory as it was originally stated below.


libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim into creating or overwriting protected files holding this data in ways it was not intended to.


The attacker needs permissions and rights sufficient enough to be able to create or rename directory entries in the directory the victim saves their files.

This race condition modifies the behavior of symbolic link files in affected components, since they might be followed instead of being overwritten when the condition is met, leading to both undesired and potentially destructive behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-32001 to this issue.

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Severity: Medium


libcurl is used by many applications, but not always advertised as such!



A - Upgrade curl to version 8.2.0

B - Apply the patch to your local version

C - Do not save cookie, HSTS or alt-svc data


This issue was reported to the curl project on June 27, 2023. We contacted distros@openwall on July 12, 2023.

libcurl 8.2.0 was released on July 19 2023, coordinated with the publication of this advisory.


Thanks a lot!