{"id":"CVE-2023-38039","details":"When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.","aliases":["CURL-CVE-2023-38039"],"modified":"2026-05-01T04:20:15.049841Z","published":"2023-09-15T03:21:54.348Z","related":["SUSE-SU-2023:3692-1","SUSE-SU-2023:3823-1","openSUSE-SU-2024:13230-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38039.json","unresolved_ranges":[{"extracted_events":[{"last_affected":"8.3.0"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"hackerone"},"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2023/Oct/17"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/34"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/37"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/38"},{"type":"WEB","url":"https://hackerone.com/reports/2072338"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/"},{"type":"WEB","url":"https://support.apple.com/kb/HT214036"},{"type":"WEB","url":"https://support.apple.com/kb/HT214057"},{"type":"WEB","url":"https://support.apple.com/kb/HT214058"},{"type":"WEB","url":"https://support.apple.com/kb/HT214063"},{"type":"WEB","url":"https://www.insyde.com/security-pledge/SA-2023064"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38039.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38039"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-12"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20231013-0005/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"45ac4d019475df03562fe0ac54eb67e1d1de0ca7"},{"fixed":"6fa1d817e5b1a00d7d0c8168091877476b499317"}],"database_specific":{"extracted_events":[{"introduced":"7.84.0"},{"fixed":"8.3.0"}],"cpe":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["curl-7_84_0","curl-7_85_0","curl-7_86_0","curl-7_87_0","curl-7_88_0","curl-7_88_1","curl-8_0_0","curl-8_0_1","curl-8_1_0","curl-8_1_1","curl-8_1_2","curl-8_2_0","curl-8_2_1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38039.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}