An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the โchainedโ HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable โlinksโ in this โdecompression chainโ wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a โmalloc bombโ, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | curl | <ย 7.88.1-1 | curl_7.88.1-1_all.deb |
Debian | 11 | all | curl | <ย 7.74.0-1.3+deb11u7 | curl_7.74.0-1.3+deb11u7_all.deb |
Debian | 10 | all | curl | <ย 7.64.0-4+deb10u5 | curl_7.64.0-4+deb10u5_all.deb |
Debian | 999 | all | curl | <ย 7.88.1-1 | curl_7.88.1-1_all.deb |
Debian | 13 | all | curl | <ย 7.88.1-1 | curl_7.88.1-1_all.deb |