{"id":"CURL-CVE-2023-23914","summary":"HSTS ignored on multiple requests","details":"curl's HSTS functionality fail when multiple URLs are requested serially.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL. This\nHSTS mechanism would however surprisingly be ignored by subsequent transfers\nwhen done on the same command line because the state would not be properly\ncarried on.\n\nReproducible like this:\n\n    curl --hsts \"\" https://curl.se http://curl.se\n\nThe first URL returns HSTS information that the second URL fails to take\nadvantage of.","aliases":["CVE-2023-23914"],"modified":"2026-04-25T20:22:29.593584Z","published":"2023-02-15T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2023-23914.json","issue":"https://hackerone.com/reports/1813864","award":{"currency":"USD","amount":"480"},"affects":"both","CWE":{"id":"CWE-319","desc":"Cleartext Transmission of Sensitive Information"},"severity":"Low","www":"https://curl.se/docs/CVE-2023-23914.html","package":"curl","last_affected":"7.87.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.77.0"},{"fixed":"7.88.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"7385610d0c74c6a254fea5e4cd6e1d559d848c8c"},{"fixed":"076a2f629119222aeeb50f5a03bf9f9052fabb9a"}]}],"versions":["7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:22:29Z","source":"https://curl.se/docs/CURL-CVE-2023-23914.json","vanir_signatures":[{"id":"CURL-CVE-2023-23914-0356669c","target":{"file":"lib/setopt.c"},"digest":{"line_hashes":["82451440526091596190416680049711622192","202389981090709065853492774138138418959","31140244074829462660931570420898389375","250598913800445393542016912767607534971","225980906437672378224597453801340005734","90678634670407324789922817664574892219","122168756509406516429708106687686401106","135069773483626961641541264823665265961","298035261371194627355538744591329017010","16219853417824616242366911435238435270","162156050127606652250425047242673753557","169898101254020448180401279358881019051","175398258928310456522432454049699507402","86304266166675628394632614847565793402","238109732409054062520654253457137939865","340017270325253531196731198952677486443","91564265886334082202243613151815865332","213281136004135154119939850969425809157","45407483833966010252528014466682843549","32091259491261548615334281907325171883","315746684491214009378483121730886846564","264268795465841451357583040883813488553","263264310373130654979803015793962816501","246262560339677526027375859650567645393","9282827196930141182005985157246507407","336632632281577345657679019440345116148","263143953382413643679218282230011144281","334251979122196415400285159510242456133","229563070578915145181785639210110350682"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-1c0a7a30","target":{"file":"lib/url.c"},"digest":{"line_hashes":["81298516931518092722032620450036562805","131665174262377165205467487057408913532","146830524771089566113492699295957603241","121733846314682508574846201633963220974"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-1fe69110","target":{"file":"lib/urldata.h"},"digest":{"line_hashes":["103372102345878776588641474089368209928","152067924783240037202787893167506770350","7746138722062160250244778802444877905","155009378828254279286090131001640317184"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-27b27162","target":{"file":"lib/share.c","function":"curl_share_cleanup"},"digest":{"function_hash":"78503270755360167760487452513681233828","length":989},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-39096ace","target":{"file":"include/curl/curl.h"},"digest":{"line_hashes":["245712974534621529831993597344352142443","122923717408232090499260057437153371134","117225080125953929088609938998732711365","262710635254875236936328680400952254253"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-49af2d84","target":{"file":"lib/share.h"},"digest":{"line_hashes":["265974011670274527010009946255328579611","231369669490237754826490051281733503338","90828035202475992188154012154888219754","17801975575738596479978457931667442819","83312106701310623811764343735100176467","185829385694448784730873035931717149963"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-55f18285","target":{"file":"lib/hsts.c"},"digest":{"line_hashes":["317737156888860158888180976184082947388","296772438286135597766018391408284568428","93863599463335824020144245231455699735","187440963696661346408659508771285993647","126541588144396179810650934492823781912"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-5d8a9b1b","target":{"file":"lib/hsts.h"},"digest":{"line_hashes":["323284887027130569251074238736564148118","34687696054589859158880763057880021505","295830824979080249078878088056385764961","318545017166036224884146334275586543147"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-88e21f12","target":{"file":"lib/transfer.c","function":"Curl_pretransfer"},"digest":{"function_hash":"188099668725394989166685344047949408256","length":3508},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-91e6c0ee","target":{"file":"lib/share.c","function":"curl_share_setopt"},"digest":{"function_hash":"87556514541982823078820041778802007757","length":2321},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-97f0bd88","target":{"file":"lib/transfer.c"},"digest":{"line_hashes":["4820130694093282531383537802642963820","330218359836502049093817216140070657199","16438427537648136967909612007949394277"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-c50b64f2","target":{"file":"lib/share.c"},"digest":{"line_hashes":["245466321832339527116660896618474575717","38226126048150584580867928621410392582","242547863109362497744444513058980057783","70647329269378109194206434157514346725","136673927380771676907849843947125828259","145043333416790488336473315238986483130","277760925257594173381926824670891351887","136673927380771676907849843947125828259","145043333416790488336473315238986483130","315810932162440782704045016446781039486","179464127795319789708067166569152807361","320552856034564234648874916627478362387","104906062842268595740166511201528157654"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-d8f84a95","target":{"file":"lib/url.c","function":"Curl_close"},"digest":{"function_hash":"51837919229063511304895451007570275438","length":2700},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","signature_version":"v1"},{"id":"CURL-CVE-2023-23914-ffc11d95","target":{"file":"lib/setopt.c","function":"Curl_vsetopt"},"digest":{"function_hash":"212147244672599344668514893440215258735","length":58864},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}