Security News > 2023 > October > Hyped up curl vulnerability falls short of expectations
Curl 8.4.0 has been released to patch and release details on a hyped up high-severity security vulnerability, easing week-long concerns regarding the flaw's severity.
On October 4th, curl developer Daniel Stenberg warned that the development cycle for curl 8.4.0 would be cut short, and the new version would be released on October 11th to resolve a vulnerability, warning its the worst curl security flaw seen in a long time.
"We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW," explained Stenberg.
On Wednesday, Stenberg released curl 8.4.0 with fixes for two security vulnerabilities: a high-severity heap buffer overflow bug and a low-severity cookie injection flaw.
While the flaw does have the potential to impact curl users, the requirements to exploit the vulnerability make it far less dangerous than initially expected, as it requires that the curl client be configured to use a SOCKS5 proxy when making connections to a remote site and for automatic redirections to be enabled.
"It requires the use of a socks5 proxy to be enabled by the curl user, this is actually quite common when people request API's for security testing, debugging, or other technical work - it is also common when probing Tor services using tools like curl as it typically requires a socks5 proxy to perform the request," Hickey told BleepingComputer in a conversation.