CVE-2023-23914 Overview
CVE-2023-23914 is a cleartext transmission vulnerability in curl versions prior to 7.88.0. The flaw causes HTTP Strict Transport Security (HSTS) functionality to fail when multiple URLs are requested serially on the same command line. Curl's HSTS support normally upgrades insecure HTTP requests to HTTPS, even when the URL specifies HTTP. The defect prevents HSTS state from being carried between transfers, so subsequent requests fall back to cleartext HTTP. The vulnerability is tracked under [CWE-319] Cleartext Transmission of Sensitive Information.
Critical Impact
Sensitive data, including credentials and session tokens, can be transmitted in cleartext when curl processes multiple URLs serially, exposing traffic to interception and modification by network-positioned attackers.
Affected Products
- Haxx curl versions prior to 7.88.0
- NetApp Active IQ Unified Manager, Clustered Data ONTAP, and H-Series firmware (H300S, H410S, H500S, H700S)
- Splunk Universal Forwarder including version 9.1.0
Discovery Timeline
- 2023-02-23 - CVE-2023-23914 published to the National Vulnerability Database (NVD)
- 2023-03-09 - NetApp publishes security advisory ntap-20230309-0006
- 2023-10 - Gentoo releases GLSA 202310-12
- 2025-03-12 - Last updated in NVD database
Technical Details for CVE-2023-23914
Vulnerability Analysis
The vulnerability resides in how curl manages HSTS state across multiple transfers initiated from a single command-line invocation. HSTS is a security mechanism that instructs clients to use HTTPS instead of HTTP for a given host. When curl processes a series of URLs sequentially, the HSTS state cache is not properly propagated to subsequent transfer handles. The first transfer correctly upgrades to HTTPS, but later transfers ignore the HSTS policy and proceed over plaintext HTTP. Attackers in a network man-in-the-middle (MITM) position can intercept, read, and manipulate the cleartext traffic, capturing authentication tokens, session cookies, and other sensitive payloads.
Root Cause
The root cause is improper state initialization between consecutive transfers in the same curl process. The internal HSTS cache, which should authoritatively dictate the use of HTTPS for known hosts, is not consulted when curl reinitializes per-transfer state for serial URL processing. This is classified under [CWE-319] because it results in cleartext transmission where encryption was explicitly expected.
Attack Vector
An attacker on the network path between the curl client and the target server can passively observe or actively modify HTTP traffic to a host that should have been protected by HSTS. Exploitation requires no privileges and no user interaction. Typical scenarios include automation scripts, CI/CD pipelines, and embedded systems that invoke curl with multiple URLs in a single command. Refer to the HackerOne Report #1813864 for the original technical details.
Detection Methods for CVE-2023-23914
Indicators of Compromise
- Outbound HTTP requests to hosts that should be reached exclusively over HTTPS according to organizational HSTS policy or browser preload lists.
- curl processes invoking multiple URLs in a single command line where at least one target hostname matches a previously HTTPS-only host.
- Network captures showing HTTP plaintext requests originating from systems running curl versions earlier than 7.88.0.
Detection Strategies
- Inventory curl binaries across endpoints and servers using software composition tooling and flag versions below 7.88.0.
- Inspect proxy and egress firewall logs for plaintext HTTP requests from automation hosts that should be using HTTPS.
- Audit shell scripts, cron jobs, and CI/CD pipeline definitions for curl invocations passing multiple URLs in one execution.
Monitoring Recommendations
- Enable TLS inspection on egress proxies to identify hosts being contacted over HTTP when HTTPS is expected.
- Correlate process telemetry of curl executions with destination URL schemes to detect anomalous HTTP traffic from patched-but-misconfigured systems.
- Track vendor advisories for embedded products such as NetApp ONTAP and Splunk Universal Forwarder, which bundle vulnerable curl versions.
How to Mitigate CVE-2023-23914
Immediate Actions Required
- Upgrade curl and libcurl to version 7.88.0 or later on all affected hosts.
- Apply vendor-supplied patches for NetApp Active IQ Unified Manager, Clustered Data ONTAP, H-Series firmware, and Splunk Universal Forwarder as referenced in the NetApp Security Advisory ntap-20230309-0006.
- Review automation that invokes curl with multiple URLs and refactor to use one URL per invocation until patching is complete.
Patch Information
The curl project fixed this defect in version 7.88.0. Downstream distributions issued aligned updates, including Gentoo GLSA 202310-12. Vendors embedding curl, such as NetApp and Splunk, have published product-specific updates referenced in their security advisories.
Workarounds
- Split serial URL requests into separate curl invocations so each transfer initializes HSTS state from scratch.
- Explicitly specify the https:// scheme in all URLs passed to curl rather than relying on HSTS upgrades.
- Route curl traffic through an egress proxy that enforces HTTPS for hosts with known HSTS requirements.
# Configuration example: verify curl version and enforce HTTPS explicitly
curl --version | head -n1
# Replace multi-URL invocations with explicit https:// schemes
curl https://example.com/a https://example.com/b
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
