CVE-2023-23914
📋 TL;DR
A vulnerability in curl versions before 7.88.0 causes HSTS (HTTP Strict Transport Security) to fail when processing multiple URLs sequentially on the same command line. This allows sensitive information to be transmitted over cleartext HTTP instead of encrypted HTTPS for subsequent requests after the first. Anyone using curl with HSTS enabled to handle multiple URLs in a single command is affected.
💻 Affected Systems
- curl
- libcurl
- any software using vulnerable curl/libcurl versions
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →⚠️ Risk & Real-World Impact
Worst Case
Sensitive data (authentication tokens, session cookies, personal information) transmitted in cleartext over networks, potentially intercepted by attackers leading to account compromise, data theft, or man-in-the-middle attacks.
Likely Case
Accidental exposure of sensitive information when curl scripts process multiple URLs with HSTS expectations, particularly in automated workflows or CI/CD pipelines.
If Mitigated
Minimal impact if proper network segmentation, encryption monitoring, and alternative security controls are implemented alongside HSTS.
🎯 Exploit Status
Exploitation requires ability to intercept network traffic or position as man-in-the-middle; proof-of-concept demonstrated in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.88.0 and later
Vendor Advisory: https://curl.se/docs/CVE-2023-23914.html
Restart Required: No
Instructions:
1. Update curl to version 7.88.0 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest version from curl.se. 4. Recompile any applications using libcurl with updated version.
🔧 Temporary Workarounds
Process URLs separately
allRun separate curl commands for each URL instead of processing multiple URLs in a single command line.
# Instead of: curl --hsts hsts.txt http://example.com http://example2.com
# Use: curl --hsts hsts.txt http://example.com && curl --hsts hsts.txt http://example2.com
Force HTTPS in URLs
allExplicitly use HTTPS URLs instead of relying on HSTS conversion.
curl https://example.com https://example2.com
🧯 If You Can't Patch
- Disable HSTS usage entirely and implement alternative transport security controls
- Implement network-level TLS inspection and blocking of cleartext HTTP for sensitive domains
🔍 How to Verify
Check if Vulnerable:
Check curl version and test with HSTS-enabled multi-URL command: curl --version | head -1 and test with actual HSTS usage.Check Version:
curl --version | head -1Verify Fix Applied:
Confirm curl version is 7.88.0 or later: curl --version | head -1📡 Detection & Monitoring
Log Indicators:
- Cleartext HTTP requests to domains with HSTS policies after initial HTTPS request in same session
- curl commands with multiple URLs and HSTS flags in process logs
Network Indicators:
- HTTP traffic (not HTTPS) to known HSTS-enabled domains following initial secure connection
SIEM Query:
source="curl_logs" AND "--hsts" AND (http:// OR "multiple URLs")