QwikSec

Security Database

CVE

CWE

Training

CVE-2023-38039

Published: Sep 15, 2023

Modified: Dec 2, 2025

PUBLISHED

Description

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Vendor	Product	Versions
curl	curl	affected `8.3.0 - < 8.3.0` unaffected `7.84.0 - < 7.84.0`

References

https://hackerone.com/reports/2072338

https://lists.fedoraproject.org/archives/list/[email protected]/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/

https://lists.fedoraproject.org/archives/list/[email protected]/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/

https://lists.fedoraproject.org/archives/list/[email protected]/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/

https://security.gentoo.org/glsa/202310-12

https://security.netapp.com/advisory/ntap-20231013-0005/

http://seclists.org/fulldisclosure/2023/Oct/17

https://support.apple.com/kb/HT214036

https://www.insyde.com/security-pledge/SA-2023064

https://support.apple.com/kb/HT214063

https://support.apple.com/kb/HT214057

https://support.apple.com/kb/HT214058

http://seclists.org/fulldisclosure/2024/Jan/34

http://seclists.org/fulldisclosure/2024/Jan/37

http://seclists.org/fulldisclosure/2024/Jan/38

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.