{"id":"CURL-CVE-2024-0853","summary":"OCSP verification bypass with TLS session reuse","details":"curl inadvertently kept the SSL session ID for connections in its cache even\nwhen the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh,\nwhich then skipped the verify status check.","aliases":["CVE-2024-0853"],"modified":"2026-05-18T23:10:28.896913Z","published":"2024-01-31T08:00:00Z","database_specific":{"package":"curl","CWE":{"desc":"Improper Check for Certificate Revocation","id":"CWE-299"},"issue":"https://hackerone.com/reports/2298922","affects":"both","last_affected":"8.5.0","www":"https://curl.se/docs/CVE-2024-0853.html","URL":"https://curl.se/docs/CVE-2024-0853.json","award":{"amount":"540","currency":"USD"},"severity":"Low"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.5.0"},{"fixed":"8.6.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"395365ad2d9a6c3f1a35d5e268a6af2824129832"},{"fixed":"c28e9478cb2548848eca9b765d0d409bfb18668c"}]}],"versions":["8.5.0","curl-8_5_0"],"database_specific":{"vanir_signatures_modified":"2026-05-18T23:10:28Z","source":"https://curl.se/docs/CURL-CVE-2024-0853.json","vanir_signatures":[{"digest":{"length":5025,"function_hash":"238450730006193140542600700210748384811"},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"file":"lib/vtls/openssl.c","function":"servercert"},"source":"https://github.com/curl/curl.git/commit/c28e9478cb2548848eca9b765d0d409bfb18668c","id":"CURL-CVE-2024-0853-79861d54"},{"digest":{"line_hashes":["114497631425936863817012993526107534880","115198909464429285217625058644659829226","10745843113687217952865983450508381750","237704628286891606960412530438035785442"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"lib/vtls/openssl.c"},"source":"https://github.com/curl/curl.git/commit/c28e9478cb2548848eca9b765d0d409bfb18668c","id":"CURL-CVE-2024-0853-ce49dbcc"}]}}],"schema_version":"1.7.5","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}