{"id":"CURL-CVE-2023-23916","summary":"HTTP multi-header compression denial of service","details":"curl supports \"chained\" HTTP compression algorithms, meaning that a server\nresponse can be compressed multiple times and potentially with different\nalgorithms. The number of acceptable \"links\" in this \"decompression chain\" was\ncapped, but the cap was implemented on a per-header basis allowing a malicious\nserver to insert a virtually unlimited number of compression steps simply by\nusing many headers.\n\nThe use of such a decompression chain could result in a \"malloc bomb\", making\ncurl end up spending enormous amounts of allocated heap memory, or trying to\nand returning out of memory errors.","aliases":["CVE-2023-23916"],"modified":"2025-05-15T17:48:29Z","published":"2023-02-15T08:00:00Z","database_specific":{"CWE":{"id":"CWE-770","desc":"Allocation of Resources Without Limits or Throttling"},"severity":"Medium","package":"curl","www":"https://curl.se/docs/CVE-2023-23916.html","last_affected":"7.87.0","URL":"https://curl.se/docs/CVE-2023-23916.json","issue":"https://hackerone.com/reports/1826048","affects":"both","award":{"currency":"USD","amount":"2400"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.57.0"},{"fixed":"7.88.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"dbcced8e32b50c068ac297106f0502ee200a1ebd"},{"fixed":"119fb187192a9ea13dc90d9d20c215fc82799ab9"}]}],"versions":["7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-23916.json","vanir_signatures":[{"digest":{"function_hash":"236136722379571766480436126468880933004","length":1391},"target":{"file":"lib/content_encoding.c","function":"Curl_build_unencoding_stack"},"source":"https://github.com/curl/curl.git/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CURL-CVE-2023-23916-04d4e0af"},{"digest":{"threshold":0.9,"line_hashes":["225682655952001326715220674207391006600","285785662562700632386988265942516493028","203103347077643510629770777772191475331","281980678149956129927863230221465799883","114552470392839331261066750353470777076","309703287710777946316441318192642982340","226005546279310649221062165644729979516","269037724858927312323434386765073202848","318480930092771807115527444739740201889","13531748173703579674894831209765224433"]},"target":{"file":"lib/content_encoding.c"},"source":"https://github.com/curl/curl.git/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CURL-CVE-2023-23916-399d64d5"},{"digest":{"threshold":0.9,"line_hashes":["314691222874946517552656372691008466937","169853910395093266110753057715160474849","189328306042192910930881936581626190490","27503069412827551803451655498114064704"]},"target":{"file":"lib/urldata.h"},"source":"https://github.com/curl/curl.git/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CURL-CVE-2023-23916-d069efcb"}]}}],"schema_version":"1.7.3","credits":[{"name":"Patrick Monnerat","type":"FINDER"},{"name":"Patrick Monnerat","type":"REMEDIATION_DEVELOPER"}]}