CVE-2023-27537: Double Free

March 30, 2023 (updated October 20, 2023)

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate “handles”. This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

References

hackerone.com/reports/1897203
nvd.nist.gov/vuln/detail/CVE-2023-27537

Code Behaviors & Features

Detect and mitigate CVE-2023-27537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →