Lead developer Daniel Stenberg released an upgraded version of curl Wednesday, which addresses a high-severity open source vulnerability that had much of the cybersecurity industry on edge in recent days.
The release of curl 8.4.0 addresses a vulnerability listed as CVE-2023-38545, which can be exploited to cause a heap-based buffer overflow in the SOCKS5 proxy handshake.
SOCKS5 is a protocol for setting up network communications through a "middle man," Stenberg said in a blog post.
Stenberg previously warned that the vulnerability was the worst security problem found in curl in a long time and pushed to speed up the release of the upgrade.
Security researchers have been closely monitoring the release, with some even comparing the potential security implications to that of Log4j.
“While many commercial software vendors publish patches and security updates according to a fixed schedule, it is relatively uncommon practice for open source software, which underlines the importance of the upcoming advisory for curl/libcurl,” Henrik Plate, security researcher at Endor Labs, said in a statement Tuesday.
Curl, originally released in 1997, is a widely used tool for transferring files using various protocols, according to Plate. Curl is one of two quasi-standard command line tools used for transferring files in Unix-like terminals, Plate said.
The curl tool contains default behavior that normally protects against the vulnerability, according to Mike McGuire, senior software solutions manager at Synopsys. However, those protections are not included in libcurl versions 7.69.0 through 8.3.0, McGuire said.
McGuire said the new version 8.4.0 addresses the issue by returning an error message when a hostname exceeds 255 bytes, “which is one of the conditions leading to the critical buffer overflow in the vulnerable versions.”