- 11/10/2023 --- v1.0 -- Initial publication
A security vulnerability in the cURL tool and libcurl library has been identified . This flaw enables a heap-based buffer overflow during the SOCKS5 proxy handshake, potentially allowing malicious actors to execute arbitrary code (RCE). At this time, CERT-EU is not aware of any active exploits leveraging this vulnerability. The vulnerability affects libcurl versions 7.69.0 to 8.3.0. The issue was reported on September 30, 2023, and a patch has been released in curl version 8.4.0. The vulnerability is tracked as
The vulnerability arises from a bug in curl's handling of hostnames during the SOCKS5 proxy handshake. When instructed to forward the hostname to the SOCKS5 proxy for resolution, curl has a maximum limit of 255 bytes. If a hostname longer than this is encountered, a bug may cause the program to mistakenly copy the entire hostname to the target buffer, instead of just the resolved address.
For the vulnerability to be exploitable, the application must use
socks5h proxy as described below.
In libcurl : -
CURLOPT_PROXYTYPE set to type
CURLPROXY_SOCKS5_HOSTNAME, or: -
CURLOPT_PRE_PROXY set to use the scheme
socks5h:// - One of the proxy environment variables can be set to use the
socks5h:// scheme. For example
In cURL tool : -
--socks5-hostname, or: -
--preproxy set to use the scheme
socks5h:// - Environment variables as described in the libcurl section.
It also requires that the victim access an attacker controlled website.
- libcurl to 7.69.0 to 8.3.0
Note: Versions prior to 7.69.0 are not affected.
While CERT-EU assess the exploitability of this vulnerability as low, CERT-EU recommends updating to cURL 8.4.0.
As cURL and libcurl are being used by a large variety of operating systems and applications, CERT-EU recommends prioritising the patching on public facing applications, and especially those accepting arbitrary user inputs, and critical systems.