VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 27, 2024· Updated Feb 13, 2025

Usage of disabled protocol

CVE-2024-2004

Description

CURL's protocol selection logic error allows explicitly disabled protocols to be used when all protocols are disabled without adding any.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CURL's protocol selection logic error allows explicitly disabled protocols to be used when all protocols are disabled without adding any.

Vulnerability

The vulnerability resides in the protocol selection parameter handling within curl and libcurl versions prior to the fix. When the --proto option is used with a parameter that disables all protocols (e.g., --proto -all,-http) without adding any, a logic error in protocol removal causes the default set of protocols to remain in the allowed set. This allows a request to be performed using a disabled protocol. Affected versions include all curl and libcurl releases before the patch that addressed this issue [4].

Exploitation

To exploit this flaw, an attacker would need to craft a command-line invocation of curl that uses the specific protocol selection syntax that disables all protocols. The attack requires local access to execute the curl command or the ability to influence command-line arguments used by a script or application invoking curl. The user or administrator would have to explicitly run a command such as curl --proto -all,-http http://curl.se. While unlikely in normal usage, it could be triggered if an attacker controls the arguments passed to curl.

Impact

Successful exploitation would result in curl using a protocol that was intended to be disabled. This could allow an attacker to bypass security restrictions that rely on protocol disabling, potentially enabling connections to untrusted servers using plaintext protocols like HTTP, which could lead to information disclosure or man-in-the-middle attacks. The curl security team assessed this as low severity due to the impracticality of the required command in real-world scenarios [4].

Mitigation

Users should update to a fixed version of curl. The fix is included in curl releases after March 27, 2024, as described in the security advisory [4]. No workarounds are necessary if the command-line is not modified by untrusted input; however, administrators should ensure that the --proto option is not used with the specific syntax that disables all protocols. The vulnerability was also addressed in Apple's macOS Sonoma 14.6, Ventura 13.6.8, and Monterey 12.7.6 updates (CVE-2024-40804, CVE-2024-40783) [1][2][3].

References
  1. About the security content of macOS Sonoma 14.6 - Apple Support
  2. About the security content of macOS Ventura 13.6.8 - Apple Support
  3. About the security content of macOS Monterey 12.7.6 - Apple Support
  4. security - [SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

13

News mentions

0

No linked articles in our index yet.