{"id":"CURL-CVE-2023-23916","summary":"HTTP multi-header compression denial of service","details":"curl supports \"chained\" HTTP compression algorithms, meaning that a server\nresponse can be compressed multiple times and potentially with different\nalgorithms. The number of acceptable \"links\" in this \"decompression chain\" was\ncapped, but the cap was implemented on a per-header basis allowing a malicious\nserver to insert a virtually unlimited number of compression steps by using\nmany headers.\n\nThe use of such a decompression chain could result in a \"malloc bomb\", making\ncurl end up spending enormous amounts of allocated heap memory, or trying to\nand returning out of memory errors.","aliases":["CVE-2023-23916"],"modified":"2026-05-19T09:30:06.066369860Z","published":"2023-02-15T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1826048","www":"https://curl.se/docs/CVE-2023-23916.html","last_affected":"7.87.0","award":{"amount":"2400","currency":"USD"},"URL":"https://curl.se/docs/CVE-2023-23916.json","affects":"both","CWE":{"desc":"Allocation of Resources Without Limits or Throttling","id":"CWE-770"},"package":"curl","severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.57.0"},{"fixed":"7.88.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"dbcced8e32b50c068ac297106f0502ee200a1ebd"},{"fixed":"119fb187192a9ea13dc90d9d20c215fc82799ab9"}]}],"versions":["7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0","curl-7_75_0","curl-7_74_0","curl-7_73_0","curl-7_72_0","curl-7_71_1","curl-7_71_0","curl-7_70_0","curl-7_69_1","curl-7_69_0","curl-7_68_0","curl-7_67_0","curl-7_66_0","curl-7_65_3","curl-7_65_2","curl-7_65_1","curl-7_65_0","curl-7_64_1","curl-7_64_0","curl-7_63_0","curl-7_62_0","curl-7_61_1","curl-7_61_0","curl-7_60_0","curl-7_59_0","curl-7_58_0","curl-7_57_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-23916.json"}}],"schema_version":"1.7.5","credits":[{"name":"Patrick Monnerat","type":"FINDER"},{"name":"Patrick Monnerat","type":"REMEDIATION_DEVELOPER"}]}