CVE-2023-38545: Heap-based Buffer Overflow in curl On...

Question

CVE-2023-38545: Heap-based Buffer Overflow in curlOn October 3, Daniel Stenberg, a maintainer of curl, announced that a new high severity vulnerability would be fixed in curl 8.4.0, and that the fix would be released ahead of schedule on October 11. Stenberg also described the vulnerability as “the worst security problem found in curl in a long time”.On October 11, curl version 8.4.0 was released. The high severity vulnerability is CVE-2023-38545, a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. Another CVE fixed in the release is CVE-2023-38546, a low severity cookie injection vulnerability in the curl_easy_duphandle() function in libcurl.&nbsp;For more information about these vulnerabilities, including the availability of Tenable product coverage, please visit our blog.

kbull · Answer

The VPR Scoring for Plugin 182875 for the Curl 7.69 < 8.4.0 Heap Buffer Overflow was just raised to a Critical 9.2 severity. The CVE Base Score is still high at a 8.4.

The official stance from curl.se still seems to be to upgrade with extreme caution because an upgrade is likely to break other services or software in your OS.

Has anyone heard if Microsoft has any plans to release a patch?

Vulnerability Watch

Forum Discussion

CVE-2023-38545: Heap-based Buffer Overflow in curl On...

1 Reply

Recent Discussions

FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Americas

Europe

Asia / Australia