On October 5, 2023, we released a blog post discussing the Curl Vulnerability, the critical security issue in Curl and libcurl version 8.4.0, known as CVE-2023-38545. In addition, there was another low-severity vulnerability, CVE-2023-38546. These vulnerabilities were scheduled to be disclosed on October 11, creating significant anticipation. Now, that long-awaited date has arrived, bringing with it detailed information about the vulnerabilities, along with the release of the necessary patches.

A high-severity cURL vulnerability (CVE-2023-38545) is expected to be published in tandem with the 8.4.0 releases of the package on October 11th. While not much is known about the nature of the vulnerability, according to Daniel Stenberg, Curl’s creator and core maintainer, the vulnerability is “the worst security problem found in curl in a long time”.

By Ofri Ouzan & Yotam Perkal, Rezilion Security Research On September 27th, 2023 Google released an update including 10 security fixes. Notably, one of these fixes, identified as CVE-2023-5217, was highlighted for having an existing exploit in the wild. On October 2nd, 2023, CISA added this vulnerability to their KEV Catalog, signifying that it is being actively exploited in the wild.