CVE-2023-38039

Name: CVE-2023-38039
Creator: NVD / NIST
Published: 2023-09-15T04:15:10.127+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 62.25%

Last modified Jun 17, 2026

CVE-2023-38039 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.. EPSS estimates a 62.25% chance of exploitation in the next 30 days.

Description

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

62.25%

99.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Haxx	Curl	>= 7.84.0, < 8.3.0
Fedoraproject	Fedora	37
Fedoraproject	Fedora	38
Fedoraproject	Fedora	39
Microsoft	Windows 10 1809	< 10.0.17763.5122
Microsoft	Windows 10 21h2	< 10.0.19044.3693
Microsoft	Windows 10 22h2	< 10.0.19045.3693
Microsoft	Windows 11 21h2	< 10.0.22000.2600
Microsoft	Windows 11 22h2	< 10.0.22621.2715
Microsoft	Windows 11 23h2	< 10.0.22631.2715
Microsoft	Windows Server 2019	< 10.0.17763.5122
Microsoft	Windows Server 2022	< 10.0.20348.2113

References

http://seclists.org/fulldisclosure/2023/Oct/17Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/34Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/37Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/38Mailing List, Third Party Advisory
https://hackerone.com/reports/2072338Exploit, Issue Tracking, Patch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/Mailing List
https://security.gentoo.org/glsa/202310-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20231013-0005/Third Party Advisory
https://support.apple.com/kb/HT214036Third Party Advisory
https://support.apple.com/kb/HT214057Third Party Advisory
https://support.apple.com/kb/HT214058Third Party Advisory
https://support.apple.com/kb/HT214063Third Party Advisory
https://www.insyde.com/security-pledge/SA-2023064Third Party Advisory
http://seclists.org/fulldisclosure/2023/Oct/17Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/34Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/37Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/38Mailing List, Third Party Advisory
https://hackerone.com/reports/2072338Exploit, Issue Tracking, Patch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/Mailing List
https://security.gentoo.org/glsa/202310-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20231013-0005/Third Party Advisory
https://support.apple.com/kb/HT214036Third Party Advisory
https://support.apple.com/kb/HT214057Third Party Advisory
https://support.apple.com/kb/HT214058Third Party Advisory
https://support.apple.com/kb/HT214063Third Party Advisory
https://www.insyde.com/security-pledge/SA-2023064Third Party Advisory

Timeline

Published: Sep 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-38039?

How severe is CVE-2023-38039?

CVE-2023-38039 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 62.25% probability of exploitation in the next 30 days.

How do I fix CVE-2023-38039?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-38039?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST