6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.9%
curl supports โchainedโ HTTP compression algorithms, meaning that a server
response can be compressed multiple times and potentially with different
algorithms. The number of acceptable โlinksโ in this โdecompression chainโ was
capped, but the cap was implemented on a per-header basis allowing a malicious
server to insert a virtually unlimited number of compression steps simply by
using many headers.
The use of such a decompression chain could result in a โmalloc bombโ, making
curl end up spending enormous amounts of allocated heap memory, or trying to
and returning out of memory errors.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.9%