Critical curl/libcurl Vulnerabilities CVE‑2023‑38545 & CVE‑2023‑38546 – What You Need to Know

Recently, the author of the curl project, Daniel Stenberg (bagder), announced on GitHub that curl 8.4.0 will be released on October 11, 2023, and that two vulnerabilities, CVE‑2023‑38545 and CVE‑2023‑38546, will be disclosed.

CVE‑2023‑38545 is a high‑severity flaw that impacts both the curl command‑line tool and the libcurl library. Given the massive usage of curl and libcurl, security teams are urged to quickly audit any products or services that incorporate these components and prepare for upgrades.

The details of the vulnerabilities remain confidential; only the fact that versions released in recent years are affected is known. Both CVE entries are currently listed as reserved on the official CVE database, showing only their identifiers.

Melissa Bischoping, Endpoint Security Research Director at Tanium, emphasized that curl’s widespread adoption means organizations should expand their monitoring scope. Even if the vulnerability does not affect every curl version, the early notice and potential impact justify treating it as a major security event.

curl is an open‑source command‑line tool created in the late 1990s for transferring data between servers. It supports almost all internet protocols, including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, LDAP, MQTT, and many others, making it ubiquitous across operating systems and embedded devices.

While curl itself can be vulnerable, the more critical issue is that libcurl—the underlying library used by countless applications—shares the same flaw, dramatically widening the attack surface.

Because detailed exploit information is not yet public, the recommended approach is to proactively identify any usage of curl/libcurl in your environment and, once full details are released, assess and apply the necessary patches.

(Copyright belongs to the original author, removed upon request)