CVE-2023-38546 in cURLinfo

Summary

by MITRE • 10/25/2023

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/26/2025

The vulnerability identified as CVE-2023-38546 represents a critical cookie handling flaw within the libcurl library that enables arbitrary cookie injection attacks. This issue specifically affects applications that utilize the curl_easy_duphandle function to create duplicate easy handles for managing HTTP transfers. The vulnerability stems from an improper implementation of cookie state duplication where the cookie-enabled configuration is copied but the actual cookie data is not properly cloned. This creates a scenario where cloned handles inherit a corrupted cookie source specification rather than maintaining the original cookie state. The flaw manifests when a source handle has cookies enabled but has not read cookies from any disk file, resulting in the cloned handle storing the string "none" as the cookie file name instead of maintaining the proper cookie handling state.

The technical exploitation of this vulnerability requires specific conditions to be met, including the use of curl_easy_duphandle in applications that have previously enabled cookie handling without specifying a cookie source file. When the source handle has not read cookies from disk, the duplication process incorrectly stores the file name as literal "none" rather than maintaining a null or empty cookie source state. Subsequent operations on the cloned handle that do not explicitly reconfigure cookie sources will then attempt to load cookies from a file literally named "none" in the current working directory. This creates an arbitrary code execution vector where attackers can place malicious cookie data in a file named "none" and have it automatically loaded by applications using the vulnerable libcurl library. The vulnerability is particularly dangerous because it operates silently without explicit user interaction or error reporting, making detection difficult in production environments.

The operational impact of this vulnerability extends beyond simple cookie injection to potentially enable session hijacking, authentication bypasses, and data exfiltration attacks. Applications that rely on libcurl for HTTP communication and cookie management become vulnerable to attacks where malicious actors can inject arbitrary cookies that may contain session tokens, authentication credentials, or other sensitive data. The attack vector is particularly concerning in web applications, API clients, and automated systems that process user data through libcurl-based libraries. The vulnerability aligns with CWE-252, which addresses "Unchecked Return Value" and CWE-200, which covers "Information Exposure," as the flaw can lead to unauthorized access to session information and potential privilege escalation. This vulnerability also maps to ATT&CK technique T1566.001, "Phishing: Spearphishing Attachment," as attackers could leverage this flaw in conjunction with malicious cookie files delivered through phishing campaigns.

Mitigation strategies for CVE-2023-38546 require immediate attention from system administrators and application developers. The primary recommendation is to update to libcurl version 7.85.0 or later, which contains the patched implementation for proper cookie state handling during handle duplication. Organizations should conduct comprehensive vulnerability assessments to identify applications using affected libcurl versions and implement runtime monitoring to detect suspicious cookie file access patterns. Security teams should also implement proper file system access controls to prevent unauthorized creation of cookie files named "none" in application directories. Additionally, applications should explicitly configure cookie sources using curl_easy_setopt with CURLOPT_COOKIEFILE to prevent automatic cookie loading from unspecified sources, and developers should implement proper error handling and validation of cookie file paths to detect and reject invalid cookie source specifications. The vulnerability highlights the importance of proper state management in library functions and demonstrates how seemingly minor implementation flaws can create significant security risks in widely-used networking libraries.

Reservation

07/20/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.06208

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!