Much ado about cURL

Semgrep Supply Chain, designed to streamline vulnerability management by filtering out unnecessary alerts, has addressed the recent cURL version 8.4.0 release, which patches a heap corruption issue affecting libcurl versions 7.69.0 to 8.3.0. The vulnerability, identified as CVE-2023-38545, arises when a hostname longer than 255 bytes is used in SOCKS5 requests, potentially leading to heap corruption on systems without proper memory safety. Users accepting arbitrary URLs without hostname validation are particularly at risk. The recommended immediate action is to update system curl and libcurl via package managers to mitigate the vulnerability. Additionally, Semgrep Supply Chain is investigating the presence of vulnerable statically-linked libcurl dependencies, emphasizing the importance of updating the system environment rather than individual libraries. This approach ensures the most comprehensive protection against the exploit, and users are encouraged to conduct a dependency audit to understand how libraries link to libcurl.