CVE-2023-23915
Description
A race condition in curl's HSTS cache file handling when multiple transfers are done in parallel can cause HTTP-to-HTTPS upgrades to fail, exposing sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in curl's HSTS cache file handling when multiple transfers are done in parallel can cause HTTP-to-HTTPS upgrades to fail, exposing sensitive data.
Vulnerability
In curl versions prior to 7.88.0, the HSTS (HTTP Strict Transport Security) cache file is overwritten by the most recently completed transfer when multiple URLs are requested in parallel. This race condition causes the HSTS cache to lose entries for earlier hosts, so subsequent HTTP-only transfers to those hosts are not upgraded to HTTPS as intended. The vulnerability affects all curl versions <7.88.0.
Exploitation
An attacker does not need special network position; the vulnerability is triggered by the normal use of parallel transfers (e.g., using curl's --parallel option or multi-interface). The attacker would need to be able to intercept or observe the plaintext HTTP traffic that should have been upgraded to HTTPS. The race window occurs when multiple transfers complete concurrently, causing the HSTS cache file to be written by the last finishing transfer, overwriting previous entries.
Impact
Successful exploitation leads to a cleartext transmission of sensitive information. A later HTTP-only transfer to a host that previously had an HSTS entry will not be upgraded to HTTPS, potentially exposing credentials, cookies, or other data in plaintext over the network. The confidentiality of the communication is compromised.
Mitigation
The vulnerability is fixed in curl version 7.88.0 and later. Users should upgrade to at least curl 7.88.0. For Gentoo Linux, the fixed version is >=net-misc/curl-8.3.0-r2 [1]. No workaround is available; upgrading is the only mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- osv-coords5 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
< 7.79.1-150400.5.15.1+ 4 more
- (no CPE)range: < 7.79.1-150400.5.15.1
- (no CPE)range: < 7.79.1-150400.5.15.1
- (no CPE)range: < 7.88.1-1.1
- (no CPE)range: < 7.79.1-150400.5.15.1
- (no CPE)range: < 7.79.1-150400.5.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202310-12mitrevendor-advisory
- hackerone.com/reports/1826048mitre
- security.netapp.com/advisory/ntap-20230309-0006/mitre
News mentions
0No linked articles in our index yet.