You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0
Details
HIGH severity vulnerability in curl and libcurl: announcement
Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time".
A patched version (8.4.0) and details will be published around 06:00 UTC on October 11.
curl_cffi wheels on PyPI ship with libcurl 7.84.0
Summary
curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0
Details
HIGH severity vulnerability in curl and libcurl: announcement
Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time".
A patched version (8.4.0) and details will be published around 06:00 UTC on October 11.
curl_cffi wheels on PyPI ship with libcurl 7.84.0
PoC
https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h
Resolution
Versions after 0.7 bundles with
libcurl>=8.5, which is not affected by this issue.