CVE-2023-28322

CVE-2023-28322 is a low-severity vulnerability in Haxx Curl with a CVSS 3.x base score of 3.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-200.

Key facts

Description

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Frequently asked questions

What is CVE-2023-28322?
An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
How severe is CVE-2023-28322?
CVE-2023-28322 has a CVSS 3.x base score of 3.7, rated low severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2023-28322 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-28322?
CVE-2023-28322 primarily affects Haxx Curl. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-28322?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2023-28322 published?
CVE-2023-28322 was published on 2023-05-26 and last updated on 2026-06-17.

References

Affected products (10)

More vulnerabilities in Haxx Curl

All CVEs affecting Haxx Curl →

Other CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities

Browse all CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities →