Critical libcurl Vulnerabilities (CVE-2023-38545 & CVE-2023-38546) and Upcoming curl 8.4.0 Patch

Good morning, I’m Xuan Yuan. Yesterday a screenshot circulated in my WeChat group showed a tweet from curl’s lead developer Daniel Stenberg announcing that curl 8.4.0, scheduled for release on Wednesday, October 11, will fix two vulnerabilities – one high‑severity and one low‑severity – identified as CVE‑2023‑38545 and CVE‑2023‑38546.

Unlike typical disclosures, Stenberg deliberately withheld details about the affected versions and the nature of the bugs, keeping the CVE entries in a reserved state on the official CVE database without public descriptions.

The curl project’s website now displays a prominent warning about the severity of the issue, emphasizing that this may be the most serious libcurl flaw in years.

curl is a widely‑used command‑line tool and library that supports many protocols (HTTP, HTTPS, FTP, FTPS, SFTP, LDAP, SMTP, POP3, IMAP, RTSP, RTMP, etc.) and is often employed for downloading web pages, API testing, file transfers, custom request crafting, uploading forms, and SSL certificate verification.

Web page download from any HTTP/HTTPS server.

API testing and interaction for RESTful services.

Data transfer via FTP or other supported protocols.

Network operation simulation with custom methods, headers, cookies, etc.

Web page upload via HTTP POST.

Verification and testing of SSL certificates, redirects, etc.

Beyond the curl tool itself, the underlying libcurl library is embedded in countless applications and middleware, meaning the vulnerability’s impact surface is extremely broad.

Having used libcurl extensively in C/C++ projects, I suspect the flaw could enable remote code execution (RCE), potentially comparable in severity to the historic Log4j exploit.

All developers and operations engineers should be prepared to apply the patch as soon as curl 8.4.0 is released.