On October 5, 2023   , Daniel Stenberg   , the maintainer and original author of curl , issued an advisory regarding two security vulnerabilities found in the curl library. This article provides a detailed description of the vulnerabilities and offers recommendations for organizations to mitigate the risks.
The first vulnerability , classified as high severity , has been described as “probably the worst curl security flaw in a long time.” It affects libcurl and may require careful attention. Docker , a containerization platform, has issued an advisory to assist customers in identifying if they are using the curl library as a dependency in their container images .
The second vulnerability , tracked as CVE-2023-38546   , will also be disclosed on October 11, 2023 . Both vulnerabilities will be addressed in the upcoming update  , curl version 8.4.0     , which will include a patch for both issues.
The exact circumstances that trigger these vulnerabilities are still unknown , making it challenging to determine the specific user base at risk . However, organizations are advised to take this issue seriously as threat actors may attempt to exploit them .
To assess their exposure , organizations should inventory and scan their systems using curl and libcurl to identify potentially vulnerable versions  . It is recommended to integrate software composition analysis (SCA) tools into the software development life cycle for a thorough evaluation of exposure to the curl vulnerability. However, a quick evaluation can be done without SCA tools. Organizations should also monitor for exploit attempts and exercise caution when obtaining patches and fixed versions of curl . They should be prepared to patch their systems as soon as the new version of curl, 8.4.0, is released on October 11    .
Organizations should monitor their package provider for updates and follow any patching advice provided. As more details about the vulnerability become available , Synopsys will provide additional information and patching advice . It is crucial for organizations to address these vulnerabilities promptly to mitigate potential risks and ensure the security of their systems.