All users are encouraged to upgrade to the latest version of Curl as soon as possible.
Two security vulnerabilities have recently been uncovered in Curl, a widely used open-source command-line tool and library designed for the secure transfer of data over network connections.
The first vulnerability, CVE-2023-38545, is a heap-based buffer overflow in the SOCKS5 proxy handshake that could allow an attacker to execute arbitrary code on the target system.
The second vulnerability; CVE-2023-38546 is a cookie injection vulnerability in Curl that could allow an attacker to insert cookies at will into a running program using libcurl, if a specific series of conditions are met.
The vulnerabilities, originally identified by Qualys, affect all versions of Curl from 7.69.0 to 8.3.0, which are used by millions of users and organizations around the world. Curl is used in a wide variety of applications, including downloading files, sending HTTP requests, and accessing web APIs.
The Curl team has released a patch for the vulnerability in Curl 8.4.0. Users are advised to upgrade to the latest version of Curl as soon as possible.
In addition to upgrading to the latest version of Curl, users can also protect themselves from this vulnerability by disabling the SOCKS5 proxy feature and being careful about which SOCKS5 proxies they use.
If you believe that you may have been exploited by this vulnerability, you should immediately contact your security team.