Medium severity6.5NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-1000099

Description

When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.

Affected products

Haxx/Libcurl
cpe:2.3:a:haxx:libcurl:7.54.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

curl.haxx.se/0809C.patchnvdPatchVendor Advisory
security.gentoo.org/glsa/201709-14nvdPatchThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/100281nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039119nvdThird Party AdvisoryVDB Entry
curl.haxx.se/docs/adv_20170809C.htmlnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000