Upcoming High Severity Vulnerability in curl and libcurl

curl is a popular command-line tool for transferring data using various network protocols. curl is used almost ubiquitously, and shipped with almost all Linux distributions.

The curl maintainer announced recently that on Oct 11, 2023, at around 6:00 UTC, a new version 8.4.0 of curl and libcurl will be released, to address a High severity vulnerability, which is assigned to CVE-2023-38545.

In the maintainer’s own words:

This is probably the worst security problem found in curl in a long time.

Please be advised to follow updates and upgrade to the latest version once available.

While not all security data is currently available, and the exact impact of this issue is still to be determined, Snyk Security Team is monitoring for updates, will update the curl security advisory accordingly, and will share more information in the following blog post: High severity vulnerability found in libcurl and curl.