{"api_version":"1","generated_at":"2026-04-22T21:38:26+00:00","cve":"CVE-2023-38039","urls":{"html":"https://cve.report/CVE-2023-38039","api":"https://cve.report/api/cve/CVE-2023-38039.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-38039","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-38039"},"summary":{"title":"CVE-2023-38039","description":"When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-09-15 04:15:00","updated_at":"2024-04-01 15:45:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://www.insyde.com/security-pledge/SA-2023064","name":"https://www.insyde.com/security-pledge/SA-2023064","refsource":"","tags":[],"title":"Insyde Security Advisory 2023064 | Insyde Software","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: curl-7.85.0-11.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/2072338","name":"https://hackerone.com/reports/2072338","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202310-12","name":"https://security.gentoo.org/glsa/202310-12","refsource":"MISC","tags":[],"title":"curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT214058","name":"https://support.apple.com/kb/HT214058","refsource":"","tags":[],"title":"About the security content of macOS Ventura 13.6.4 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT214036","name":"https://support.apple.com/kb/HT214036","refsource":"","tags":[],"title":"About the security content of macOS Sonoma 14.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: curl-8.2.1-2.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://seclists.org/fulldisclosure/2024/Jan/37","name":"http://seclists.org/fulldisclosure/2024/Jan/37","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: curl-8.0.1-4.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://seclists.org/fulldisclosure/2023/Oct/17","name":"http://seclists.org/fulldisclosure/2023/Oct/17","refsource":"MISC","tags":[],"title":"Full Disclosure: Defense in depth -- the Microsoft way (part 86): shipping\trotten software to billions of unsuspecting customers","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20231013-0005/","name":"https://security.netapp.com/advisory/ntap-20231013-0005/","refsource":"MISC","tags":[],"title":"CVE-2023-38039 curl Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://seclists.org/fulldisclosure/2024/Jan/38","name":"http://seclists.org/fulldisclosure/2024/Jan/38","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2024/Jan/34","name":"http://seclists.org/fulldisclosure/2024/Jan/34","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT214057","name":"https://support.apple.com/kb/HT214057","refsource":"","tags":[],"title":"About the security content of macOS Monterey 12.7.3 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT214063","name":"https://support.apple.com/kb/HT214063","refsource":"","tags":[],"title":"About the security content of iOS 16.7.5 and iPadOS 16.7.5 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38039","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38039","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"39","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_10_1809","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_10_21h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_10_22h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_11_21h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_11_22h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_11_23h2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_server_2019","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38039","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_server_2022","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-38039","qid":"20366","title":"Oracle Database 19c Critical Patch Update - October 2023"},{"cve":"CVE-2023-38039","qid":"20367","title":"Oracle Database 21c Critical Patch Update - October 2023"},{"cve":"CVE-2023-38039","qid":"20368","title":"Oracle Database 19c Critical OJVM Patch Update - October 2023"},{"cve":"CVE-2023-38039","qid":"20399","title":"Oracle Database 19c Critical OJVM Patch Update - January 2024"},{"cve":"CVE-2023-38039","qid":"20400","title":"Oracle Database 19c Critical Patch Update - January 2024"},{"cve":"CVE-2023-38039","qid":"20401","title":"Oracle Database 21c Critical Patch Update - January 2024"},{"cve":"CVE-2023-38039","qid":"242553","title":"Red Hat Update for JBoss Core Services (RHSA-2023:7625)"},{"cve":"CVE-2023-38039","qid":"284514","title":"Fedora Security Update for curl (FEDORA-2023-b1253907f1)"},{"cve":"CVE-2023-38039","qid":"284546","title":"Fedora Security Update for curl (FEDORA-2023-98dff7aae5)"},{"cve":"CVE-2023-38039","qid":"285257","title":"Fedora Security Update for curl (FEDORA-2023-43ef9f5376)"},{"cve":"CVE-2023-38039","qid":"296105","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)"},{"cve":"CVE-2023-38039","qid":"356390","title":"Amazon Linux Security Advisory for curl : ALAS2023-2023-368"},{"cve":"CVE-2023-38039","qid":"356407","title":"Amazon Linux Security Advisory for curl : ALAS2-2023-2271"},{"cve":"CVE-2023-38039","qid":"379298","title":"Apple macOS Ventura 13.6.4 Not Installed (HT214058)"},{"cve":"CVE-2023-38039","qid":"379300","title":"Apple macOS Monterey 12.7.3 Not Installed (HT214057)"},{"cve":"CVE-2023-38039","qid":"379516","title":"IBM Sterling Secure Proxy Multiple Vulnerabilities (7142038)"},{"cve":"CVE-2023-38039","qid":"503352","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-38039","qid":"503682","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-38039","qid":"505863","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-38039","qid":"610539","title":"Apple iOS 16.7.5 and iPadOS 16.7.5 Security Update Missing (HT214063)"},{"cve":"CVE-2023-38039","qid":"691300","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for curl (833b469b-5247-11ee-9667-080027f5fec9)"},{"cve":"CVE-2023-38039","qid":"710772","title":"Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)"},{"cve":"CVE-2023-38039","qid":"754879","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:3692-1)"},{"cve":"CVE-2023-38039","qid":"754967","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:3823-1)"},{"cve":"CVE-2023-38039","qid":"907382","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (29698-1)"},{"cve":"CVE-2023-38039","qid":"907662","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (28833)"},{"cve":"CVE-2023-38039","qid":"907687","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (28833-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-38039","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"curl","product":{"product_data":[{"product_name":"curl","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"version":"8.3.0","status":"affected","lessThan":"8.3.0","versionType":"semver"},{"version":"7.84.0","status":"unaffected","lessThan":"7.84.0","versionType":"semver"}]}}]}}]}}]}},"references":{"reference_data":[{"url":"https://hackerone.com/reports/2072338","refsource":"MISC","name":"https://hackerone.com/reports/2072338"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/"},{"url":"https://security.gentoo.org/glsa/202310-12","refsource":"MISC","name":"https://security.gentoo.org/glsa/202310-12"},{"url":"https://security.netapp.com/advisory/ntap-20231013-0005/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20231013-0005/"},{"url":"http://seclists.org/fulldisclosure/2023/Oct/17","refsource":"MISC","name":"http://seclists.org/fulldisclosure/2023/Oct/17"}]}},"nvd":{"publishedDate":"2023-09-15 04:15:00","lastModifiedDate":"2024-04-01 15:45:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"7.84.0","versionEndExcluding":"8.3.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.19045.3693","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.22000.2600","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.22621.2715","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.22631.2715","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.5122","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.5122","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.2113","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.19044.3693","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}