Connect with us

Hi, what are you looking for?



Information Disclosure, DoS Flaws Patched in libcurl

The developers of the popular multiprotocol data transfer library libcurl informed users on Wednesday that the latest version addresses two vulnerabilities.

The developers of the popular multiprotocol data transfer library libcurl informed users on Wednesday that the latest version addresses two vulnerabilities.

Libcurl is a free and highly portable file transfer library that supports roughly two dozen protocols and various features. The libcurl website lists more than 250 organizations that use the library in their products, including Adobe, Apple, the BBC, BMW, Broadcom, Cisco, Electronic Arts, Facebook, Google, Intel, Mozilla, Samsung, Sony, VMware and several cybersecurity firms.

The latest Libcurl release, version 7.58.0, patches a total of 82 bugs, including two vulnerabilities that can lead to information disclosure or a denial-of-service (DoS) condition.

One of the security holes, tracked as CVE-2018-1000007, can lead to authentication data getting leaked to third parties.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value,” developers said in an advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client’s request,” they added.

This vulnerability has existed in the libcurl code for a long time. “It existed in the first commit we have recorded in the project,” developers noted.

Advertisement. Scroll to continue reading.

The second flaw, identified as CVE-2018-1000005, has been described as an out-of-bounds read issue that can lead to a DoS condition or information disclosure.

“The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ‘:’ to the target buffer, while this was recently changed to ‘: ‘ (a space was added after the colon) but the associated math wasn’t updated correspondingly,” developers explained. “When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback.”

This vulnerability only affects libcurl versions 7.49.0 through 7.57.0.

CVE-2018-1000007 was reported to cURL developers on January 18, while CVE-2018-1000005 was brought to their attention on January 10. Developers said they had not been aware of any attempts to exploit these flaws.

Various Linux distributions are also working on pushing out updates that patch the flaws.

Related: Thousands of Third-Party Library Flaws Put Pacemakers at Risk

Related: SDL Development Library Allows Code Execution via GIMP Files

Related: GitHub Warns Developers When Using Vulnerable Libraries

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.