CVE-2023-38039

HIGH

Haxx Curl < 8.3.0 - Resource Allocation Without Limits

Title source: rule
STIX 2.1

Description

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Exploits (1)

nomisec WORKING POC
by Smartkeyss · poc
https://github.com/Smartkeyss/CVE-2023-38039

References (15)

Core 15
Core References
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Oct/17
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/34
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/37
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/38
Exploit, Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/2072338

Scores

CVSS v3 7.5
EPSS 0.1231
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (12)
fedoraproject/fedora 37
fedoraproject/fedora 38
fedoraproject/fedora 39
haxx/curl 7.84.0 - 8.3.0
microsoft/windows_10_1809 < 10.0.17763.5122
microsoft/windows_10_21h2 < 10.0.19044.3693
microsoft/windows_10_22h2 < 10.0.19045.3693
microsoft/windows_11_21h2 < 10.0.22000.2600
microsoft/windows_11_22h2 < 10.0.22621.2715
microsoft/windows_11_23h2 < 10.0.22631.2715
... and 2 more
Published Sep 15, 2023
Tracked Since Feb 18, 2026