{"id":"CURL-CVE-2023-23915","summary":"HSTS amnesia with --parallel","details":"curl's HSTS cache saving behaves wrongly when multiple URLs are requested in\nparallel.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL. This\nHSTS mechanism would however surprisingly fail when multiple transfers are done\nin parallel as the HSTS cache file gets overwritten by the most recently\ncompleted transfer.\n\nA later HTTP-only transfer to the earlier hostname would then *not* get\nupgraded properly to HSTS.\n\nReproducible like this:\n\n1. `curl --hsts hsts.txt --parallel https://curl.se https://example.com`\n2. `curl --hsts hsts.txt http://curl.se`","aliases":["CVE-2023-23915"],"modified":"2026-05-21T06:00:22.485438021Z","published":"2023-02-15T08:00:00Z","database_specific":{"CWE":{"id":"CWE-319","desc":"Cleartext Transmission of Sensitive Information"},"URL":"https://curl.se/docs/CVE-2023-23915.json","issue":"https://hackerone.com/reports/1814333","award":{"amount":"480","currency":"USD"},"www":"https://curl.se/docs/CVE-2023-23915.html","severity":"Low","package":"curl","affects":"both","last_affected":"7.87.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.77.0"},{"fixed":"7.88.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"7385610d0c74c6a254fea5e4cd6e1d559d848c8c"},{"fixed":"076a2f629119222aeeb50f5a03bf9f9052fabb9a"}]}],"versions":["7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0","curl-7_75_0","curl-7_74_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-23915.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}