The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-8285

CVE-2020-8285: Haxx Libcurl Buffer Overflow Vulnerability

CVE-2020-8285 is a buffer overflow vulnerability in Haxx Libcurl caused by uncontrolled recursion in FTP wildcard parsing. This article covers the technical details, affected versions 7.21.0 to 7.73.0, and mitigation.

Published: March 4, 2026

CVE-2020-8285 Overview

CVE-2020-8285 is a stack overflow vulnerability in the curl command-line tool and libcurl library affecting versions 7.21.0 through 7.73.0. The vulnerability exists in the FTP wildcard matching functionality, where uncontrolled recursion can lead to a stack overflow condition. When a curl client processes specially crafted FTP server responses containing deeply nested wildcard patterns, it can exhaust stack space and crash, resulting in a denial of service condition.

This vulnerability is particularly concerning because curl and libcurl are among the most widely deployed network transfer tools, embedded in countless applications, operating systems, and network appliances across enterprise environments.

Critical Impact

Attackers can trigger a denial of service by causing stack exhaustion through malicious FTP wildcard patterns, potentially disrupting critical services that rely on curl for data transfers.

Affected Products

  • Haxx libcurl versions 7.21.0 to 7.73.0
  • Apple macOS and Mac OS X (multiple versions)
  • Debian Linux 9.0 and 10.0
  • Fedora 32 and 33
  • NetApp Clustered Data ONTAP, HCI Management Node, SolidFire, and HCI Storage/Compute Nodes
  • Oracle Communications Billing and Revenue Management 12.0.0.3.0
  • Oracle Communications Cloud Native Core Policy 1.14.0
  • Oracle Essbase 21.2
  • Oracle PeopleSoft Enterprise PeopleTools 8.58
  • Fujitsu M10 and M12 series firmware
  • Siemens SINEC Infrastructure Network Services
  • Splunk Universal Forwarder

Discovery Timeline

  • December 14, 2020 - CVE-2020-8285 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-8285

Vulnerability Analysis

The vulnerability resides in curl's FTP wildcard matching implementation, which is used when retrieving files from FTP servers using glob patterns. The parser processes wildcard patterns recursively without adequate depth limitations, allowing an attacker controlling an FTP server (or performing a man-in-the-middle attack) to craft responses that trigger excessive recursion.

When curl connects to an FTP server and requests files using wildcard patterns (e.g., *.txt or [a-z]*.log), the server's directory listing response is processed by curl's wildcard matching engine. If the pattern matching logic encounters deeply nested bracket expressions or complex pattern combinations, it recurses without proper bounds checking. This causes the call stack to grow until available stack memory is exhausted.

The vulnerability can be triggered remotely over the network without requiring authentication. The impact is limited to availability since the stack overflow results in a crash rather than code execution due to modern stack protection mechanisms.

Root Cause

The root cause is uncontrolled recursion (CWE-674) in the FTP wildcard pattern matching code. The recursive function responsible for evaluating glob-style patterns did not implement adequate recursion depth limits. This allowed specially crafted input to cause unbounded recursive calls, eventually exceeding the process's stack allocation and triggering a crash.

The wildcard matching functionality, while useful for retrieving multiple files with pattern matching, was not designed with adversarial input in mind. The code assumed pattern complexity would be bounded by typical user input rather than potentially malicious server responses.

Attack Vector

The attack vector is network-based and requires the victim's curl client to connect to a malicious or compromised FTP server. The attack can be executed through several scenarios:

An attacker operating a malicious FTP server can craft directory listing responses containing patterns designed to maximize recursion depth when processed by curl's wildcard matching engine.

The malicious FTP server responds with crafted file listings that exploit the recursive pattern matching. When curl attempts to match requested patterns against these listings, the uncontrolled recursion exhausts stack space, causing the curl process to crash.

This attack requires user interaction to initiate the FTP connection, though in automated environments where curl connects to external FTP servers, exploitation could occur without direct user involvement.

Detection Methods for CVE-2020-8285

Indicators of Compromise

  • Unexpected curl process crashes when connecting to FTP servers
  • Stack overflow errors in system logs associated with curl or applications using libcurl
  • FTP server responses containing unusually complex or deeply nested patterns in directory listings
  • Repeated service restarts for applications depending on libcurl for FTP transfers

Detection Strategies

  • Monitor for curl process crashes accompanied by stack overflow signals (SIGSEGV with stack-related indicators)
  • Implement network monitoring to detect FTP connections to untrusted or newly registered domains
  • Deploy application crash analysis to identify stack exhaustion patterns in curl-dependent services
  • Review system logs for abnormal termination of processes utilizing libcurl FTP functionality

Monitoring Recommendations

  • Configure crash dump collection for curl processes and applications using libcurl
  • Establish baseline metrics for FTP transfer operations and alert on abnormal failure rates
  • Monitor for FTP connections to suspicious or unknown external servers
  • Implement endpoint detection rules for stack overflow conditions in network transfer utilities

How to Mitigate CVE-2020-8285

Immediate Actions Required

  • Upgrade curl and libcurl to version 7.74.0 or later, which contains the fix for this vulnerability
  • Audit systems and applications to identify all instances of curl/libcurl requiring updates
  • Restrict FTP connections to known trusted servers where possible
  • Consider disabling FTP wildcard matching functionality if not required for operations

Patch Information

The curl project addressed this vulnerability in version 7.74.0, released in December 2020. The fix implements proper recursion depth limits in the FTP wildcard matching code to prevent stack exhaustion.

Patches and updates are available from:

  • Official curl CVE-2020-8285 Advisory
  • Debian Security Advisory DSA-4881
  • Apple Security Updates HT212325, HT212326, HT212327
  • NetApp Security Advisory NTAP-20210122-0007
  • Oracle Critical Patch Update April 2021
  • Siemens Security Advisory SSA-389290

Workarounds

  • Avoid using FTP wildcard matching features when connecting to untrusted servers
  • Configure network policies to restrict FTP connections to approved internal servers only
  • Deploy application-level controls to validate FTP server responses before processing
  • Consider using SFTP or other secure transfer protocols instead of FTP where feasible
bash
# Verify installed curl version
curl --version

# Check if libcurl is updated on Linux systems
apt-cache policy libcurl4 # Debian/Ubuntu
rpm -q curl libcurl       # RHEL/CentOS

# Upgrade curl on Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade curl libcurl4

# Upgrade curl on RHEL/CentOS
sudo yum update curl libcurl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechLibcurl
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.75%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-674
  • Technical References
  • Full Disclosure Post
  • GitHub Issue on CURL
  • HackerOne Report #1045844
  • Apache BookKeeper Thread 1
  • Apache BookKeeper Thread 2
  • Debian LTS Announcement
  • Fedora Package Announcement 1
  • Fedora Package Announcement 2
  • Gentoo GLSA 202012-14
  • NetApp Security Advisory NTAP-20210122-0007
  • Apple Support Document HT212325
  • Apple Support Document HT212326
  • Apple Support Document HT212327
  • Debian DSA-4881
  • Vendor Resources
  • Siemens Security Advisory
  • CURL CVE-2020-8285 Details
  • Oracle CPU July 2021 Alert
  • Oracle CPU April 2021 Alert
  • Oracle CPU April 2022 Alert
  • Oracle CPU January 2022 Alert
  • Related CVEs
  • CVE-2025-0725: NetApp HCI BMC Buffer Overflow Vulnerability
  • CVE-2024-6197: Haxx Libcurl Buffer Overflow Vulnerability
  • CVE-2024-6874: Haxx Libcurl Buffer Overflow Vulnerability
  • CVE-2026-22026: CryptoLib KMC Client DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English