CVE-2017-1000254
Description
libcurl's FTP PWD response parser fails to NUL-terminate the directory name when the closing double quote is missing, causing a heap buffer over-read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libcurl's FTP PWD response parser fails to NUL-terminate the directory name when the closing double quote is missing, causing a heap buffer over-read.
Vulnerability
When libcurl connects to an FTP server and successfully logs in (anonymous or not), it sends the PWD command to request the current directory path. The server replies with a 257 response containing the path enclosed in double quotes. Due to a flaw in the string parser introduced in commit 415d2e7cb7 (March 2005), if the directory name is provided without a closing double quote, libcurl fails to append a trailing NUL byte to the heap-allocated buffer holding the name. Affected versions are libcurl 7.7 through 7.55.1; versions before 7.7 and from 7.56.0 onward are not affected [4]. The bug was fixed in commit 5ff2c5ff25750aba1a8f64 and released in curl 7.56.0 [4].
Exploitation
An attacker must operate a malicious FTP server that accepts login (anonymous or otherwise) and provides a malformed 257 response to the mandatory PWD command—specifically a path string that lacks the closing double quote. No authentication beyond the FTP login is required, as the PWD command is always issued on every new FTP connection. The parser flaw results in a missing NUL terminator, and when libcurl subsequently accesses the stored path string, it reads beyond the allocated heap buffer [4]. The attacker does not need to control the client beyond serving the malicious response; no user interaction beyond initiating an FTP transfer is required.
Impact
A successful attack causes a heap buffer over-read, potentially leading to a segmentation fault and denial of service for any libcurl-based application performing FTP operations against the malicious server. The over-read could also allow the server to retrieve out-of-bounds data from the client's heap, though the advisory notes no known exploit for information disclosure [4]. The primary impact is denial of service due to crashes; the chance of triggering a segfault is high.
Mitigation
The vulnerability is fixed in curl version 7.56.0 (released 2017-10-04) [4]. Users should upgrade to this version or later. For systems that cannot be immediately upgraded, the patch from commit 5ff2c5ff25750aba1a8f64 can be applied. Red Hat has shipped the fix in httpd24-curl 7.61.1 (RHSA-2018:3558 [1]) and in JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2018:2486 [3]). Apple included the fix in macOS High Sierra 10.13.2 and Security Updates 2017-002/005 (HT208331 [2]). There is no known workaround other than avoiding use of FTP with libcurl on unpatched versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16- osv-coords15 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/curl&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/curl-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
< 7.79.1-1.1+ 14 more
- (no CPE)range: < 7.79.1-1.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.19.7-1.70.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.19.7-1.70.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.19.7-1.70.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.37.0-37.8.1
- (no CPE)range: < 7.19.7-1.20.53.6.1
- (no CPE)range: < 7.19.7-1.70.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- curl.haxx.se/673d0cd8.patchnvdPatchVendor Advisory
- curl.haxx.se/docs/adv_20171004.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/101115nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039509nvdThird Party AdvisoryVDB Entry
- www.debian.org/security/2017/dsa-3992nvd
- access.redhat.com/errata/RHSA-2018:2486nvd
- access.redhat.com/errata/RHSA-2018:3558nvd
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Envd
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Envd
- security.gentoo.org/glsa/201712-04nvd
- support.apple.com/HT208331nvd
News mentions
0No linked articles in our index yet.