{"id":"CURL-CVE-2020-8231","summary":"wrong connect-only connection","details":"An application that performs multiple requests with libcurl's multi API and\nsets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience\nthat when subsequently using the setup connect-only transfer, libcurl picks\nand uses the wrong connection - and instead picks another one the application\nhas created since then.\n\n`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual\ntransfer, only connect. When that operation is completed, libcurl remembers\nwhich connection it used for that transfer and \"easy handle\". It remembers the\nconnection using a pointer to the internal `connectdata` struct in memory.\n\nIf more transfers are then done with the same multi handle before the\nconnect-only connection is used, leading to the initial connect-only\nconnection to get closed (for example due to idle time-out) while also new\ntransfers (and connections) are setup, such a *new* connection might end up\ngetting the exact same memory address as the now closed connect-only\nconnection.\n\nIf after those operations, the application then wants to use the original\ntransfer's connect-only setup to for example use `curl_easy_send()` to send\nraw data over that connection, libcurl could **erroneously** find an existing\nconnection still being alive at the address it remembered since before even\nthough this is now a new and different connection.\n\nThe application could then accidentally send data over that connection which\nwas not at all intended for that recipient, entirely unknowingly.","aliases":["CVE-2020-8231"],"modified":"2026-04-25T20:38:37.717309Z","published":"2020-08-19T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2020-8231.json","last_affected":"7.71.1","package":"curl","award":{"currency":"USD","amount":"500"},"www":"https://curl.se/docs/CVE-2020-8231.html","severity":"Low","issue":"https://hackerone.com/reports/948876","CWE":{"id":"CWE-825","desc":"Expired Pointer Dereference"},"affects":"lib"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.29.0"},{"fixed":"7.72.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"c43127414d89ccb9ef6517081f68986d991bcfb3"},{"fixed":"3c9e021f86872baae412a427e807fbfa2f3e8a22"}]}],"versions":["7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0"],"database_specific":{"vanir_signatures":[{"target":{"function":"multi_done","file":"lib/multi.c"},"digest":{"length":2619,"function_hash":"331532023541576969066354937791485298954"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-2950ad04"},{"target":{"function":"close_connect_only","file":"lib/multi.c"},"digest":{"length":353,"function_hash":"336232748145660464196652415900066280968"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-2a175745"},{"target":{"file":"lib/multi.c"},"digest":{"threshold":0.9,"line_hashes":["287261581511692746697467587568259406919","330307450929073656592182909749199200074","200122141504599864737522434505514401848","143810138740833827476819814566029427838","325728315536925732734760454072986000299","195982891181755037826491072533288204908","203219816339541804370302668232471101066","205411479678198486793481568748306266774","332172947211345127819047463119605689359","194207613772913796296754096752271960620","147350327373634146702388130138223785703","140014613041602768142617760438377002458","50555384415255251160852135476286649567","249787048824144233676320851955855945987","308407380196191456966966459940101249899","26163884033974221510074896428562588429","211805331002107940557430623218206200622","113407281645460601247696661015910509891","241060754058524444738593660298928519106","198493469547032561671879772044117695774"]},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Line","id":"CURL-CVE-2020-8231-37918d85"},{"target":{"function":"curl_multi_remove_handle","file":"lib/multi.c"},"digest":{"length":2046,"function_hash":"219110263340513938585696564425421127805"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-37aede7a"},{"target":{"file":"lib/easy.c"},"digest":{"threshold":0.9,"line_hashes":["278007632680107853289767407232391867446","60140081460787175943580165326092571895","99749531831187643730365824096800452493","218917902494987031849008760141326680399"]},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Line","id":"CURL-CVE-2020-8231-3da66c1d"},{"target":{"function":"conn_is_conn","file":"lib/connect.c"},"digest":{"length":171,"function_hash":"256472554190833573102511654204815576098"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-43842e8d"},{"target":{"file":"lib/connect.c"},"digest":{"threshold":0.9,"line_hashes":["301325607868354164653987579561834051422","190634849795658500907137562091707125032","12005318164823129577733800796267178864","325795034586487709057588494659098597851","138749291965541201593416220808290282314","133115673174770329623976411366002814087","127974960267971513158213871704989145469","187430127347766493785938634174552247920","294666742308562297287360450363690417463","203058159259733901101641831162723808762","196206757982637083740595216708092312545","334278486111345991291149590667734676702","270912373901412973517769671633265342744","177181986986087515804541002895751024502","14126900827460759162517403971236314328","133526994153519951232866096486875618458","208989963406635733993492214992145175073","202003640325827028794828538853600351285","199481293653130318420625684971591437338","58098388954325525495625477543038833698","147039395182743398927875067662206140273","148073327178436679302596663404441701973","30727031327844870267663915141229498969","82988344674134055256419474278209659133","266991595062728214149608807782863741332","286968424128905149277396073652291848849"]},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Line","id":"CURL-CVE-2020-8231-7250f556"},{"target":{"function":"curl_easy_duphandle","file":"lib/easy.c"},"digest":{"length":2323,"function_hash":"108592384174746325776209341403276204677"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-8f9fe2d3"},{"target":{"function":"Curl_open","file":"lib/url.c"},"digest":{"length":869,"function_hash":"160857362762811412603034174817854630441"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-95d4144e"},{"target":{"file":"lib/urldata.h"},"digest":{"threshold":0.9,"line_hashes":["6881081518923518153661935829438944659","163985820251913200978165944119069851718","228951787405907423456616379934979059192","300505850918184442302647193539469637320"]},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Line","id":"CURL-CVE-2020-8231-a3deb9ab"},{"target":{"function":"Curl_getconnectinfo","file":"lib/connect.c"},"digest":{"length":633,"function_hash":"33896251005890629383700811105288268468"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-bb72adcb"},{"target":{"function":"curl_multi_add_handle","file":"lib/multi.c"},"digest":{"length":1843,"function_hash":"227318844798903670205928868533163934671"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Function","id":"CURL-CVE-2020-8231-f1fd5715"},{"target":{"file":"lib/url.c"},"digest":{"threshold":0.9,"line_hashes":["295982506423678795644475255212939790562","306963185386791199557191351242136339906","224444913639142649228879165355852762960","173475490722543123994711983632772952497"]},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/3c9e021f86872baae412a427e807fbfa2f3e8a22","signature_version":"v1","signature_type":"Line","id":"CURL-CVE-2020-8231-f427365a"}],"source":"https://curl.se/docs/CURL-CVE-2020-8231.json","vanir_signatures_modified":"2026-04-25T20:38:37Z"}}],"schema_version":"1.7.5","credits":[{"name":"Marc Aldorasi","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}