Connect with us

Hi, what are you looking for?



Critical SOCKS5 Vulnerability in cURL Puts Enterprise Systems at Risk

Flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations.

The maintainers of the cURL data transfer project on Wednesday rolled out patches for a severe memory corruption vulnerability that exposes millions of enterprise OSes, applications and devices to malicious hacker attacks.

According to an high-risk bulletin, the flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations.

The bug, tracked as CVE-2023-38545, exists in the libcurl library that handles data exchange between devices and servers.

From the advisory:

“When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.

If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”

Swedish open source developer and curl maintainer Daniel Stenberg explained that the bug was introduced in February 2020 during related coding work on cURL’s SOCKS5 support.

“An attacker that controls an HTTPS server that a libcurl using client accesses over a SOCKS5 proxy (using the proxy-resolver-mode) can make it return a crafted redirect to the application via a HTTP 30x response,” Stenberg explained, warning that in certain conditions, a heap buffer overflow is triggered.

Advertisement. Scroll to continue reading.

“This problem is the worst security problem found in [libcurl] in a long time,” Stenberg said. The issue was reported via the HackerOne platform by Jay Satiro and paid out $4,600, the largest cURL bug bounty to date.

Affected versions have been flagged as libcurl versions 7.69.0 to 8.3.0.  The project said the issue has been fixed in cURL 8.4.0.

cURL provides both a library (libcurl) and command-line tool (curl) for transferring data with URL syntax, supporting various network protocols, including SSL, TLS, HTTP, FTP, SMTP, among others.

Earlier this week, cURL released a pre-patch advisory urging organizations to urgently inventory and scan all systems utilizing curl and libcurl and prepare to apply the patches in cURL 8.4.0.

According to curl’s maintainers, the vulnerability potentially impacts all projects relying on libcurl, although some software may use it in a way that does not allow exploitation. “Updating the shared libcurl library should be enough to fix this issue on all operating systems.”

Related: Patches Prepared for ‘Probably Worst’ cURL Vulnerability

Related: Newly Exploited Zero-Days in WordPad, Skype for Business

Related: Information Disclosure, DoS Flaws Patched in libcurl

Related: cURL Security Audit Reveals Several Vulnerabilities

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.