Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / HTTP headers eat all memory
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2540 USD

CVE-2023-38039

HTTP headers eat all memory

Project curl Security Advisory, September 13 2023 - Permalink

VULNERABILITY

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers to a client and eventually cause curl to run out of heap memory.

INFO

Since libcurl allocates memory on the heap to store each header individually, the exact number of headers required for this to become a problem will vary greatly from case to case. As the headers typically need to be transferred over a network to curl, the available bandwidth will also affect how likely or how fast this problem can be triggered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-38039 to this issue.

CWE-770: Allocation of Resources Without Limits or Throttling

Severity: Medium

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

This flaw existed already in the 7.83.0 source code, but in that release the feature was still marked EXPERIMENTAL and was not enabled in normal builds. The label was removed in 7.84.0, which is why we consider that the first vulnerable version.

SOLUTION

Starting in curl 8.3.0, curl returns an error if the total size of the headers in a single HTTP response exceeds 300 KB.

RECOMMENDATIONS

A - Upgrade curl to version 8.3.0

B - Apply the patch to your local version

C - Monitor response headers and return an error if there are too many

TIMELINE

This issue was reported to the curl project on July 17, 2023. We contacted distros@openwall on September 6, 2023.

This report arrived before the 8.2.0 and 8.2.1 releases shipped (on July 19 and July 26), but we did not manage to work it through and fix it in time for those releases.

libcurl 8.3.0 was released on September 13 2023, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!