Curl library security flaws revealed

Computer programming source code. Programming code abstract technology background of software developer and Computer script.
(Image credit: Shutterstock/BEST-BACKGROUNDS)

The Curl library is vulnerable to two flaws, one of which is “arguably the most critical security flaw identified in curl in recent history,” experts have warned.

For the uninitiated, Curl is an open source command-line tool used to transfer data with URL syntax. It supports multiple network protocols, including SSL, TLS, HTTP, FTP, SMTP, and more. 

It is mostly used by developers and system administrators prevalently to interact with APIs, download files, and create automated workflows.

Withholding details

Saeed Abbasi, Product Manager with Qualys’ Threat Research Unit, published a blog post explaining the flaws and the upcoming fix. In the announcement, he said that the two vulnerabilities being addressed are tracked as CVE-2023-38545 and CVE-2023-38546. The first one is labeled as high-severity, and affects both libcurl and the curl tool. The second one is low-severity, and only impacts libcurl.

Given that the fix is yet to be released, the researchers did not want to share any more details. Among other things, they couldn’t say which versions were vulnerable, as that would help pinpoint the problematic areas quite accurately.

In a GitHub discussion, maintainer Daniel Stenberg only said that the flaws affect "last several years" of versions. That’s “as specific as I can get” he said. "Sure, there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason," Stenberg added.

The update is expected to be released on October 11 this year, when Curl will hit version 8.4.9, Abbasi confirmed. "Organizations should urgently inventory and scan all systems utilizing curl and libcurl, anticipating identifying potentially vulnerable versions once details are disclosed with the release of Curl 8.4.0 on October 11."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.