curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)

From: Daniel Stenberg via curl-library <>
Date: Fri, 25 Aug 2023 23:38:03 +0200 (CEST)

On Fri, 25 Aug 2023, Samuel Henrique via curl-library wrote:

> I wanted to let you know that there's a recent curl CVE published and
> it doesn't look like it was acknowledged by the curl authors since
> it's not mentioned in the curl website:
> CVE-2020-19909

Thank you for this Samuel. I had no idea.

This discovery makes me sad and upset at the same time.

1. The fact that people can submit curl CVEs without us being told is a system

2. This exact bug was discussed (and dismissed) by the curl security team in

3. This is not a security problem, as we figured out in the curl security team
    and frankly, anyone can see that who spends more than 30 seconds on the
    code and think about what the integer overflow in question is controlling.

4. NVD then in their infinite wisdom goes all bananas and ranks it a 9.8
    CRITICAL. It is almost as if NVD *tries* to inflate curl reports. How the
    heck can anyone motivate this severity level?

Unfortunately I think I need to spend some time to write up something about
this, in blog form and on the curl site.

This is not a (curl) security problem at all. This is just silly.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-08-25