Curling into a Security Storm: What You Need to Know About curl 8.4.0's High Severity Flaw


Published on Oct 9, 2023   —   2 min read

Picture this: you're sipping your morning coffee, scrolling through GitHub notifications, and suddenly, you stumble upon a discussion that makes you spit out your latte. That's precisely what happened when the maintainers of the ubiquitous curl tool announced a high-severity security flaw. The news is as unsettling as finding out your VPN has been leaking your data. Let's dive into what this means for you and the broader tech community.

The Announcement

On October 11, curl 8.4.0 will be released, cutting its usual release cycle short. The update will include fixes for two CVEs (Common Vulnerabilities and Exposures), one rated as HIGH severity and the other as LOW. The HIGH-rated CVE is described as "probably the worst curl security flaw in a long time." The affected CVEs are:

  • CVE-2023-38545: HIGH severity (affects both libcurl and the curl tool)
  • CVE-2023-38546: LOW severity (affects libcurl only)

The announcement explicitly states that there will be no API or ABI changes in the upcoming release. For the full details, you can read the GitHub discussion.

Why Wait for the Release?

You might be wondering, why not release the fix immediately? The maintainers have opted for a set release date to:

  1. Deliberate on the vulnerability and write a comprehensive advisory.
  2. Allow distribution maintainers to prepare patched updates.
  3. Align the project's resources for the new release.

The risk of someone discovering the flaw within this short window is considered minimal, given that the issue has remained undetected for years.

Who Are These "Distro People"?

The term "distro people" refers to trusted individuals from mainstream Linux distributions who have early access to patches and more information than the general public. They are responsible for preparing updates for their respective distributions.

What's Next?

  1. For Developers: If you're using libcurl in your projects, be prepared to update as soon as the new version is out.
  2. For End-Users: Keep an eye out for updates from your distribution's maintainers. Apply patches as soon as they are available.
  3. For Distribution Maintainers: If you're one of the "distro people," now is the time to prepare patches and updates.


In the world of cybersecurity, staying ahead of vulnerabilities is like playing a never-ending game of whack-a-mole. While the details are still under wraps, what we do know is that this is a HIGH severity issue that has been lurking in the shadows for years. So mark your calendars for October 11 and prepare to update—because this is one curl you don't want to skip.

Note: The information in this blog post is based on the GitHub discussion started by the curl maintainers. For the most accurate and up-to-date information, please refer to the official curl website and GitHub repository.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.