Vulnerability DatabaseCVE-2023-38039

CVE-2023-38039:
vulnerability analysis and mitigation

Overview

CVE-2023-38039 is a vulnerability in curl discovered in September 2023 that affects versions from 7.84.0 to 8.2.1. When curl retrieves an HTTP response, it stores incoming headers for later access via the libcurl headers API. The vulnerability exists because curl did not implement limits on header quantity or size, allowing a malicious server to stream endless headers and exhaust heap memory (Curl Docs).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The issue was addressed in curl 8.3.0 by implementing a 300 KB limit on the total size of headers in a single HTTP response (NVD, Curl Docs).

Impact

The vulnerability can lead to a Denial of Service (DoS) condition when a malicious server streams an endless series of headers, causing the client to run out of heap memory. Since libcurl allocates memory on the heap to store each header individually, the exact number of headers required to trigger this issue varies depending on the system configuration and available bandwidth (Curl Docs, NetApp Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to curl version 8.3.0 or later, which implements a 300 KB limit on total header size. Various vendors have released patches for their products, including Apple in their OS updates, Fedora in their package updates, and NetApp in their product fixes. For systems that cannot be immediately updated, monitoring response headers and implementing custom size limits at the application level may provide temporary mitigation (Curl Docs, Fedora Update).

Community reactions

The vulnerability has received significant attention from major technology vendors, with companies like Apple, NetApp, and Fedora quickly releasing security advisories and patches. The security community has classified this as a high-severity issue, particularly due to its potential for denial of service attacks against systems using curl for HTTP communications (Gentoo Advisory, NetApp Advisory).

Additional resources

Source: This report was generated using AI

7.5

Score

Published September 15, 2023

Severity HIGH

CNA Score N/A

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 94.1

Exploitation Probability (EPSS) 14.5

Sources

Alpine Security Tracker
- Alpine 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 Severity MEDIUMNo FixAdded at: Oct 10, 2023
- Alpine 3.15, 3.16, 3.17, 3.18, edge Severity MEDIUMHas FixAdded at: Sep 24, 2023
- Alpine 3.19 Severity MEDIUMHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity MEDIUMHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity MEDIUMHas FixAdded at: Dec 08, 2024
Anaconda
- Anaconda Severity HIGHHas FixAdded at: Jan 21, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Oct 13, 2023
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Oct 17, 2023
Debian Security Tracker
- Debian 12, 13 Severity HIGHHas FixAdded at: Sep 14, 2023
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Oct 11, 2023
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Oct 10, 2023
Photon Security Advisory
- Photon 3.0, 4.0 Severity HIGHHas FixAdded at: Sep 21, 2023
- Photon 5.0 Severity HIGHHas FixAdded at: Sep 20, 2023
Ubuntu Security Tracker
- Ubuntu 23.04 Severity MEDIUMHas FixAdded at: Sep 13, 2023
- Ubuntu 23.10 Severity MEDIUMHas FixAdded at: Oct 31, 2023
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024
NVD
- Linux Severity HIGHHas FixAdded at: Oct 09, 2023
- Windows Severity HIGHHas FixAdded at: Sep 13, 2023