{"id":"CURL-CVE-2020-8285","summary":"FTP wildcard stack overflow","details":"libcurl offers a wildcard matching functionality, which allows a callback (set\nwith `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on\nhow to handle a specific entry in a directory when libcurl iterates over a\nlist of all available entries.\n\nWhen this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not\ndeal with that file, the internal function in libcurl then calls itself\nrecursively to handle the next directory entry.\n\nIf there is a sufficient amount of file entries and if the callback returns\n\"skip\" enough number of times, libcurl runs out of stack space. The exact\namount does of course vary with platforms, compilers and other environmental\nfactors.\n\nThe content of the remote directory is not kept on the stack, so it seems hard\nfor the attacker to control exactly what data that overwrites the stack -\nhowever it remains a Denial-Of-Service vector as a malicious user who controls\na server that a libcurl-using application works with under these premises can\ntrigger a crash.\n\n(There is also a few other ways the function can be made to call itself and\ntrigger this problem.)","aliases":["CVE-2020-8285"],"modified":"2026-04-25T20:38:38.410472Z","published":"2020-12-09T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2020-8285.html","package":"curl","affects":"lib","CWE":{"id":"CWE-674","desc":"Uncontrolled Recursion"},"severity":"Medium","URL":"https://curl.se/docs/CVE-2020-8285.json","issue":"https://hackerone.com/reports/1045844","last_affected":"7.73.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.21.0"},{"fixed":"7.74.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34"},{"fixed":"69a358f2186e04cf44698b5100332cbf1ee7f01d"}]}],"versions":["7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/69a358f2186e04cf44698b5100332cbf1ee7f01d","id":"CURL-CVE-2020-8285-65b6fad8","digest":{"threshold":0.9,"line_hashes":["184476775510533027388718895960952159918","156322506506110137926945070000429410314","20670977983588760395954824366509577612","278102778289078334853403258169767056118","144682017389939385701608362594309706533","131621475410468951009545355742511330897","298680581291691322372523203432016646829","87805244657659760734983676805655260028","304156502825623387915031696864575794500","250377572584863191851930198162220374942","219152875622843895157766199396587018645","249788917177248901814620531232541879609","229934088363978480374866438720399817264","249833688629470332671893301345845277338","16616947024250621797706306804227042553","163307598398905729452756516358754920690","112035334574893307048913912614018044024","4732401526453585347306579368991382251","136748861001560477059610996662755042352","196289514771246689056811597931181018401","302139749805394309412029144452541212210","126589822739659994475216228269045387619","7052257700509419687010305017051959790","95164453189720483914224746227333445313","101046728775490984498669370433447595214","112907376411410787337583488450866741432","209725143247895220449993859528486449660","161924809568114262498007302117580234034","46901839399932295533444423019060590101","286389445023554851020451828274250976951","339243473066722259395606020902605682126","193243849111261031672755347196207213838","247824563245202487817546174964122985975","182238994497900991494157708891485448117","122276382403288479645878768147535677474","260536672983422165743343616096725767095","113285187455372958742317071059983421354","151100951929605125895149235582978312504","296780908907283281402521847979035216106","245986569466214194968430266101912225619","262857017288710042605982669527728268853","63825592129842339935565536195935221244","22260514382630545754416686415687768139","272551934713781104526831918332248477068","270292755082778973902658303221894869492","329762068187632056024493119806360945250","252400245768985037824769754995845269643","176924150215363167416774373945547456578","146050695021673738253830705160046071095","26772898823155918896296417391003186188","163938423324659538389579608420945922451","335790195920982371262868827141264754275","306448789986871638855997100842877346374","49222901095553846119094993699932545777","100957916630084887041726104581817955296","99060895961864215138300934547528177110","87768511433855742134055795943720903267","210442911202601734021660639413709906775","249815437017568467660508141034847761552","35064834732799972834264501776059694593","30581373627516931635570079979305687045","73069935269460162140200452616170539333","336889926074454307775764928034567603909","80948005788548949409746454010292086251","294489105666982964896093784140130784867","123518199280162212681709385088815896735","304114755360855681048341279394647806155","339839388460226222135647677813759682259","28563967063495983991498076651565504923","12519712998606027190840193429206244736","78733076146910625726740995148005936326","113324048701480420145548900750204624198","66511267095692061918534709645601427179","58815775020112445308610360515692412918","3355612561801615269259732278642783023","257364883812737976887099773008915802416","130622861614188023874674013408614909879","178803334182069388137853375673130606449","164603634806349293079844675328777193306","69518015765548637480904078066987919762","71970450577021457971319474213358522376","39780458745606608704622362758242055289","295862100481163884323895892161262685904","67656100128756077856003049584649745349","214680522712283733581818378044678819549","77781875767912620221703595783849134299","326341713524016072158459507011427403985","63076702808956770739578637087181849397","320022334904461011021002872122184754284","257365936150555865064412372576098029158","114329593905384646151365700732148179306","335539186082343908086376234755402580280","205737797643200051427201554319319933951","183823347793250420801783353510962151258","316015407093221385407873125741135785340","235780497829215147823977033612277444840","5871209694374733622750166745107985531","286925292873319255277161967199864591253"]},"deprecated":false,"target":{"file":"lib/ftp.c"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/69a358f2186e04cf44698b5100332cbf1ee7f01d","id":"CURL-CVE-2020-8285-a42d2256","digest":{"length":3014,"function_hash":"168814935214221222596367167865072201906"},"deprecated":false,"target":{"function":"wc_statemach","file":"lib/ftp.c"},"signature_type":"Function"}],"source":"https://curl.se/docs/CURL-CVE-2020-8285.json","vanir_signatures_modified":"2026-04-25T20:38:38Z"}}],"schema_version":"1.7.5","credits":[{"name":"xnynx on github","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}