VDB

DEBIAN-CVE-2023-38039

DEBIAN-CVE-2023-38039 PUBLISHED CVSS 7.5 HIGH

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:12curl0, 7.88.1-10, 7.88.1-10+deb12u1
Debian:13curl0, 0, 0
Debian:14curl0, 0, 0

Exploit Intelligence

Timeline

  • Sep 15, 2023 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›