{"id":"CURL-CVE-2024-2004","summary":"Usage of disabled protocol","details":"When a protocol selection parameter option disables all protocols without\nadding any then the default set of protocols would remain in the allowed set\ndue to an error in the logic for removing protocols. The below command would\nperform a request to curl.se with a plaintext protocol which has been\nexplicitly disabled.\n\n    curl --proto -all,-http http://curl.se\n\nThe flaw is only present if the set of selected protocols disables the entire\nset of available protocols, in itself a command with no practical use and\ntherefore unlikely to be encountered in real situations. The curl security team\nhas thus assessed this to be low severity bug.","aliases":["CVE-2024-2004"],"modified":"2026-04-25T20:38:33.955779Z","published":"2024-03-27T08:00:00Z","database_specific":{"award":{"amount":"540","currency":"USD"},"CWE":{"desc":"Misinterpretation of Input","id":"CWE-115"},"issue":"https://hackerone.com/reports/2384833","package":"curl","URL":"https://curl.se/docs/CVE-2024-2004.json","affects":"both","severity":"Low","last_affected":"8.6.0","www":"https://curl.se/docs/CVE-2024-2004.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.85.0"},{"fixed":"8.7.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"e6f8445edef8e7996d1cfb141d6df184efef972c"},{"fixed":"17d302e56221f5040092db77d4f85086e8a20e0e"}]}],"versions":["8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:38:33Z","source":"https://curl.se/docs/CURL-CVE-2024-2004.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"source":"https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e","target":{"file":"lib/setopt.c","function":"protocol2num"},"id":"CURL-CVE-2024-2004-9cf2e21f","digest":{"length":596,"function_hash":"263242573932328283999651086202567972618"},"signature_version":"v1"},{"signature_type":"Line","deprecated":false,"source":"https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e","target":{"file":"lib/setopt.c"},"id":"CURL-CVE-2024-2004-db5ae2c3","digest":{"threshold":0.9,"line_hashes":["146775005194302234180871574532588634564","80774664900874679466631972198617203437","86560868041181873753741543273752203153","109635461924336694993478269644761368576","39663110126223588880452705360058635771","102598405752472213421951089163281066316","157504417133305387864513172521483805914","145541974102060752112997255455914659047","55260926967184544494570742347233254077","309192183229697118771568187270845002502","207866583364123580529107003148224483591","279198607381022972964908451529542064687","204952814017326855018165074809916426516","218132813899329869962711050077308818148","97319856121381203335677480056430916413","2797198658783848953219211360631403037","2798885337662632170976809274065866810","285306478552654161847997198384499473828","101086623269084607372318015532336010479","84026534629191629047935736214357629521","279198607381022972964908451529542064687","204952814017326855018165074809916426516","187026923012455286014531231840419879013","284912050998252905552411915627914736924","66657897627182812001308922601052818508","883451548261387060813125014860668010"]},"signature_version":"v1"},{"signature_type":"Function","deprecated":false,"source":"https://github.com/curl/curl.git/commit/17d302e56221f5040092db77d4f85086e8a20e0e","target":{"file":"lib/setopt.c","function":"Curl_vsetopt"},"id":"CURL-CVE-2024-2004-fee4b627","digest":{"length":58066,"function_hash":"339673796738820965873681585057018251270"},"signature_version":"v1"}]}}],"schema_version":"1.7.5","credits":[{"name":"Dan Fandrich","type":"FINDER"},{"name":"Daniel Gustafsson","type":"REMEDIATION_DEVELOPER"}]}