HSTS subdomain overwrites parent cache entry

🗓️ 06 Nov 2024 08:00:00Reported by curlType

curl🔗 curl.se👁 2 Views

HSTS subdomain bug in curl overwrites parent expiry, misaligning HTTPS window and access.

Reporter	Title	Published	Views	Family All 159
IBM Security Bulletins	Security Bulletin: AIX is vulnerable to sensitive information disclosure (CVE-2025-0167, CVE-2024-11053) and a denial of service (CVE-2024-9681) due to cURL libcurl	10 Jun 202514:37	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops.	26 May 202606:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities	14 Nov 202414:21	–	ibm
IBM Security Bulletins	Security Bulletin: Publicly disclosed libcurl vulnerabilities affects IBM Safer Payments (CVE-2024-9681)	11 Sep 202513:57	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in libcURL affect IBM DevOps Code ClearCase.	4 Mar 202514:25	–	ibm
Tenable Nessus	Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2025-1043)	23 Jun 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : curl (ALAS-2025-2724)	9 Jan 202500:00	–	nessus
Tenable Nessus	Apple iOS < 18.4 Multiple Vulnerabilities (122371)	31 Mar 202500:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: cmake / curl / mysql / rust (CVE-2024-9681)	10 Feb 202500:00	–	nessus
Tenable Nessus	Curl 7.74.0 < 8.10.1 Input Misinterpretation (CVE-2024-9681)	8 Nov 202400:00	–	nessus

Vulners

Node

haxx curlRange7.74.0–8.11.0

haxx libcurlRange7.74.0–8.11.0

Source	Link
hackerone	www.hackerone.com/reports/2764830

19 May 2026 11:21Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.15.9 - 6.5

EPSS0.00725

SSVC