{"id":"CURL-CVE-2023-38039","summary":"HTTP headers eat all memory","details":"When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit on the size or quantity of headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers to a client and eventually cause curl to run out of heap memory.","aliases":["CVE-2023-38039"],"modified":"2025-05-15T17:48:29Z","published":"2023-09-13T08:00:00Z","database_specific":{"severity":"Medium","last_affected":"8.2.1","www":"https://curl.se/docs/CVE-2023-38039.html","affects":"both","package":"curl","issue":"https://hackerone.com/reports/2072338","URL":"https://curl.se/docs/CVE-2023-38039.json","CWE":{"desc":"Allocation of Resources Without Limits or Throttling","id":"CWE-770"},"award":{"currency":"USD","amount":"2540"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.84.0"},{"fixed":"8.3.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"4d94fac9f0d1dd02b8308291e4c47651142dc28b"},{"fixed":"3ee79c1674fd6f99e8efca52cd7510e08b766770"}]}],"versions":["8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-38039.json","vanir_signatures":[{"digest":{"function_hash":"217856162028945208227756944370592861754","length":3174},"deprecated":false,"signature_type":"Function","target":{"file":"lib/cf-h1-proxy.c","function":"recv_CONNECT_resp"},"signature_version":"v1","id":"CURL-CVE-2023-38039-0087437c","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["266152777201181161272238381333752983590","226473907641945019129741068348208069936","39871203441645995248018875017125996466","236964077332353526136694381681811420344","261668016666241600746096543686176329414","339397223176748758535340556174729444807"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/http.h"},"signature_version":"v1","id":"CURL-CVE-2023-38039-09e76412","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["161386987300584230110239495379033515094","276739193331066840851545064172186791946","295266772483880254439657484762448042109","241559128329541869971716858373461861109"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/pingpong.c"},"signature_version":"v1","id":"CURL-CVE-2023-38039-193ef3c9","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"function_hash":"25634036898079910527776213607333032878","length":3294},"deprecated":false,"signature_type":"Function","target":{"file":"lib/pingpong.c","function":"Curl_pp_readresp"},"signature_version":"v1","id":"CURL-CVE-2023-38039-301361bc","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"function_hash":"289959481106961110124566541848340602002","length":10879},"deprecated":false,"signature_type":"Function","target":{"file":"lib/http.c","function":"Curl_http_readwrite_headers"},"signature_version":"v1","id":"CURL-CVE-2023-38039-4a33a999","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["153727179836068403278834459333255590585","161266886895214736959679432404959264782","158130729943200810335777424393268167007","167426758231598823047941510916722955474","221484565741061934679677783522154989559","81159150846839355279884534814109881053","202255363867029659057468693041804297249","241517222621887440328607978574233274593","257455479635308348040612387521814965935","162519920507744553024559035020664320316","288791198034856157556009118927148921569","85605736625292568684304881600898198149","108082863928655992355057425793722645123"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/http.c"},"signature_version":"v1","id":"CURL-CVE-2023-38039-4d1fcab4","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"function_hash":"62084057502864989608029726650223554524","length":1394},"deprecated":false,"signature_type":"Function","target":{"file":"lib/c-hyper.c","function":"status_line"},"signature_version":"v1","id":"CURL-CVE-2023-38039-5462c446","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["220214788420117660170330431646210929388","51233553473512347557797855110715217207","177930723961363986156720965672153511623","197985206780942310300217187130764166589","52249314844344248395005052265711245327","55517291530950294093044223647673042525","122591086740016198932181046968842410238","151000370705716657977071868381323362261","172699081279152655782293143818736289698","294226765416467911030868254452527776021","270080647168348232992635788056668549849"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/c-hyper.c"},"signature_version":"v1","id":"CURL-CVE-2023-38039-a801610f","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["114382137874919521338056168958940599379","32851204865726977051130315551742950373","234179250335772845966467765143701154112","58127195273346064729648054396158639453","181588827708254929671772670255527503355","252327653159680848636033877472677796162","87159290581569205702567292966104783771","78564278415356618316200196977230377388","240989178496983064324525034049345982246","63782540846623863278005710349225626704","201615245760757934877771637599845418560","61545082602412916904806631104826904709","115468048476202356188814307203981168298","49583577813772729421441846660222582793","54864908772453354653294499457288395575"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/urldata.h"},"signature_version":"v1","id":"CURL-CVE-2023-38039-a8de1ff7","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"function_hash":"44028677973125743973219208999173054567","length":1559},"deprecated":false,"signature_type":"Function","target":{"file":"lib/c-hyper.c","function":"hyper_each_header"},"signature_version":"v1","id":"CURL-CVE-2023-38039-b030bf63","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"},{"digest":{"threshold":0.9,"line_hashes":["190667180303681933230166742630931409265","140154736915609618466265130274956444378","340234524266739023559996464902571359952","46978815267586723746418814720087148698"]},"deprecated":false,"signature_type":"Line","target":{"file":"lib/cf-h1-proxy.c"},"signature_version":"v1","id":"CURL-CVE-2023-38039-c3f8f479","source":"https://github.com/curl/curl.git/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770"}]}}],"schema_version":"1.7.3","credits":[{"name":"selmelc on hackerone","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}