{"id":"CURL-CVE-2023-23914","summary":"HSTS ignored on multiple requests","details":"curl's HSTS functionality fail when multiple URLs are requested serially.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL. This\nHSTS mechanism would however surprisingly be ignored by subsequent transfers\nwhen done on the same command line because the state would not be properly\ncarried on.\n\nReproducible like this:\n\n    curl --hsts \"\" https://curl.se http://curl.se\n\nThe first URL returns HSTS information that the second URL fails to take\nadvantage of.","aliases":["CVE-2023-23914"],"modified":"2026-04-25T20:30:18.948405Z","published":"2023-02-15T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1813864","last_affected":"7.87.0","CWE":{"desc":"Cleartext Transmission of Sensitive Information","id":"CWE-319"},"package":"curl","URL":"https://curl.se/docs/CVE-2023-23914.json","severity":"Low","affects":"both","www":"https://curl.se/docs/CVE-2023-23914.html","award":{"currency":"USD","amount":"480"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.77.0"},{"fixed":"7.88.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"7385610d0c74c6a254fea5e4cd6e1d559d848c8c"},{"fixed":"076a2f629119222aeeb50f5a03bf9f9052fabb9a"}]}],"versions":["7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/setopt.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["82451440526091596190416680049711622192","202389981090709065853492774138138418959","31140244074829462660931570420898389375","250598913800445393542016912767607534971","225980906437672378224597453801340005734","90678634670407324789922817664574892219","122168756509406516429708106687686401106","135069773483626961641541264823665265961","298035261371194627355538744591329017010","16219853417824616242366911435238435270","162156050127606652250425047242673753557","169898101254020448180401279358881019051","175398258928310456522432454049699507402","86304266166675628394632614847565793402","238109732409054062520654253457137939865","340017270325253531196731198952677486443","91564265886334082202243613151815865332","213281136004135154119939850969425809157","45407483833966010252528014466682843549","32091259491261548615334281907325171883","315746684491214009378483121730886846564","264268795465841451357583040883813488553","263264310373130654979803015793962816501","246262560339677526027375859650567645393","9282827196930141182005985157246507407","336632632281577345657679019440345116148","263143953382413643679218282230011144281","334251979122196415400285159510242456133","229563070578915145181785639210110350682"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-0356669c"},{"target":{"file":"lib/url.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["81298516931518092722032620450036562805","131665174262377165205467487057408913532","146830524771089566113492699295957603241","121733846314682508574846201633963220974"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-1c0a7a30"},{"target":{"file":"lib/urldata.h"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["103372102345878776588641474089368209928","152067924783240037202787893167506770350","7746138722062160250244778802444877905","155009378828254279286090131001640317184"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-1fe69110"},{"target":{"function":"curl_share_cleanup","file":"lib/share.c"},"signature_version":"v1","digest":{"length":989,"function_hash":"78503270755360167760487452513681233828"},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","deprecated":false,"id":"CURL-CVE-2023-23914-27b27162"},{"target":{"file":"include/curl/curl.h"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["245712974534621529831993597344352142443","122923717408232090499260057437153371134","117225080125953929088609938998732711365","262710635254875236936328680400952254253"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-39096ace"},{"target":{"file":"lib/share.h"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["265974011670274527010009946255328579611","231369669490237754826490051281733503338","90828035202475992188154012154888219754","17801975575738596479978457931667442819","83312106701310623811764343735100176467","185829385694448784730873035931717149963"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-49af2d84"},{"target":{"file":"lib/hsts.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["317737156888860158888180976184082947388","296772438286135597766018391408284568428","93863599463335824020144245231455699735","187440963696661346408659508771285993647","126541588144396179810650934492823781912"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-55f18285"},{"target":{"file":"lib/hsts.h"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323284887027130569251074238736564148118","34687696054589859158880763057880021505","295830824979080249078878088056385764961","318545017166036224884146334275586543147"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-5d8a9b1b"},{"target":{"function":"Curl_pretransfer","file":"lib/transfer.c"},"signature_version":"v1","digest":{"length":3508,"function_hash":"188099668725394989166685344047949408256"},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","deprecated":false,"id":"CURL-CVE-2023-23914-88e21f12"},{"target":{"function":"curl_share_setopt","file":"lib/share.c"},"signature_version":"v1","digest":{"length":2321,"function_hash":"87556514541982823078820041778802007757"},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","deprecated":false,"id":"CURL-CVE-2023-23914-91e6c0ee"},{"target":{"file":"lib/transfer.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["4820130694093282531383537802642963820","330218359836502049093817216140070657199","16438427537648136967909612007949394277"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-97f0bd88"},{"target":{"file":"lib/share.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["245466321832339527116660896618474575717","38226126048150584580867928621410392582","242547863109362497744444513058980057783","70647329269378109194206434157514346725","136673927380771676907849843947125828259","145043333416790488336473315238986483130","277760925257594173381926824670891351887","136673927380771676907849843947125828259","145043333416790488336473315238986483130","315810932162440782704045016446781039486","179464127795319789708067166569152807361","320552856034564234648874916627478362387","104906062842268595740166511201528157654"]},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Line","deprecated":false,"id":"CURL-CVE-2023-23914-c50b64f2"},{"target":{"function":"Curl_close","file":"lib/url.c"},"signature_version":"v1","digest":{"length":2700,"function_hash":"51837919229063511304895451007570275438"},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","deprecated":false,"id":"CURL-CVE-2023-23914-d8f84a95"},{"target":{"function":"Curl_vsetopt","file":"lib/setopt.c"},"signature_version":"v1","digest":{"length":58864,"function_hash":"212147244672599344668514893440215258735"},"source":"https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a","signature_type":"Function","deprecated":false,"id":"CURL-CVE-2023-23914-ffc11d95"}],"vanir_signatures_modified":"2026-04-25T20:30:18Z","source":"https://curl.se/docs/CURL-CVE-2023-23914.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}