CVE-2023-23916

Vulnerability

Curl versions prior to 7.88.0 are vulnerable to a resource exhaustion flaw in the handling of chained HTTP compression algorithms. A server response can be compressed multiple times using different algorithms, and while a per-header cap on decompression steps was implemented, the cap is applied on a per-header basis [1]. This allows a malicious server to insert a virtually unlimited number of compression steps by using many headers, leading to excessive heap memory allocation—a "malloc bomb". [2] The vulnerability is triggered when curl receives a crafted HTTP response with numerous Content-Encoding or similar headers that chain decompression steps.

Exploitation

An attacker controlling a server (e.g., via a man-in-the-middle position, or by tricking the user to connect to a malicious server) can send a crafted HTTP response with many compression headers. No special authentication or write access is needed on the client side. The curl client, upon receiving such a response, will attempt to decompress each header sequentially, allocating heap memory for each step. A sufficiently long chain can exhaust available memory, leading to an out-of-memory condition or excessive CPU usage.

Impact

Successful exploitation results in denial of service (DoS) due to memory exhaustion. curl may allocate enormous amounts of heap memory, potentially causing the application to crash or become unresponsive. There is no direct information disclosure, file write, or remote code execution from this vulnerability alone. The impact is limited to availability, but the attack can be performed from a remote, unauthenticated position.

Mitigation

The vulnerability is fixed in curl version 7.88.0 and later [1]. Users should upgrade to the latest version. Gentoo users have been advised to upgrade to >=net-misc/curl-8.3.0-r2 as part of a GLSA [2]. No workaround is available for affected versions; upgrading is the only mitigation.