CVE-2024-6874

low-risk

Published 2024-07-24

libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

Do I need to act?

0.99% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Libcurl

Affected Vendors

Haxx

References (9)

Mailing List http://www.openwall.com/lists/oss-security/2024/07/24/2

Vendor Advisory https://curl.se/docs/CVE-2024-6874.html

Vendor Advisory https://curl.se/docs/CVE-2024-6874.json

Exploit https://hackerone.com/reports/2604391

Mailing List http://www.openwall.com/lists/oss-security/2024/07/24/2

Vendor Advisory https://curl.se/docs/CVE-2024-6874.html

Vendor Advisory https://curl.se/docs/CVE-2024-6874.json

Exploit https://hackerone.com/reports/2604391

https://security.netapp.com/advisory/ntap-20240822-0004/

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal