What is CVE-2023-38039?

CVE-2023-38039 is a vulnerability in Curl. Published 2023-09-15.

Is CVE-2023-38039 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Curl

CVE-2023-38039

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowi…

EPSS: 0.638 (99.1th percentile) — read the EPSS interpretation.

Affected products

Curl — versions 8.3.0, 7.84.0

Public proof-of-concept exploits

Smartkeyss/CVE-2023-38039
fkie-cad/nvd-json-data-feeds
nomi-sec/PoC-in-GitHub
runwhen-contrib/helm-charts
testing-felickz/docker-scout-demo

References

hackerone.com/reports/2072338
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
security.gentoo.org/glsa/202310-12
security.netapp.com/advisory/ntap-20231013-0005/
seclists.org/fulldisclosure/2023/Oct/17
support.apple.com/kb/HT214036
www.insyde.com/security-pledge/SA-2023064
support.apple.com/kb/HT214063

Frequently asked questions

What is CVE-2023-38039?: CVE-2023-38039 is a vulnerability in Curl. Published 2023-09-15.
Is CVE-2023-38039 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.