CVE-2023-23914 Overview
A cleartext transmission of sensitive information vulnerability exists in curl versions prior to v7.88.0 that causes HSTS (HTTP Strict Transport Security) functionality to fail when multiple URLs are requested serially on the same command line. When using curl's HSTS support, the tool can be instructed to use HTTPS instead of insecure clear-text HTTP even when HTTP is provided in the URL. However, this HSTS mechanism would be surprisingly ignored by subsequent transfers when done on the same command line because the state would not be properly carried on between requests.
Critical Impact
Sensitive information transmitted over HTTP in cleartext due to HSTS bypass, potentially exposing credentials, session tokens, and other confidential data to network-based attackers.
Affected Products
- Haxx curl (versions prior to 7.88.0)
- NetApp Active IQ Unified Manager for VMware vSphere
- NetApp Clustered Data ONTAP 9.0
- NetApp H300S/H500S/H700S/H410S Firmware
- Splunk Universal Forwarder (multiple versions including 9.1.0)
Discovery Timeline
- 2023-02-23 - CVE-2023-23914 published to NVD
- 2025-03-12 - Last updated in NVD database
Technical Details for CVE-2023-23914
Vulnerability Analysis
This vulnerability (CWE-319: Cleartext Transmission of Sensitive Information) affects curl's implementation of HTTP Strict Transport Security (HSTS). HSTS is a critical web security mechanism that instructs clients to only communicate with servers over HTTPS connections, protecting against protocol downgrade attacks and cookie hijacking.
The flaw lies in how curl manages HSTS state across multiple URL requests within a single command-line invocation. When a user specifies multiple URLs to be fetched sequentially (using the -: or --next options, or simply listing multiple URLs), the HSTS protection that should be applied based on previously received HSTS headers fails to persist between requests.
This means that if the first URL interaction establishes an HSTS policy for a domain, subsequent requests to that same domain within the same curl execution may still use HTTP instead of being automatically upgraded to HTTPS. This defeats the purpose of HSTS protection and creates a window where sensitive data could be transmitted in cleartext.
Root Cause
The root cause of this vulnerability is improper state management in curl's HSTS implementation. The HSTS cache state was not being correctly propagated or maintained between serial URL transfers within the same curl process execution. This state isolation issue meant that HSTS policies learned or cached from earlier requests were not being applied to later requests in the same command-line session.
Attack Vector
This vulnerability is exploitable via network-based attacks. An attacker positioned to perform a man-in-the-middle (MITM) attack on the network path between the curl client and the target server could exploit this flaw to intercept sensitive data that should have been protected by HSTS.
The attack scenario would involve:
- A victim using curl with HSTS enabled to make multiple requests to the same domain
- The first request properly uses HTTPS and receives an HSTS policy
- Subsequent requests on the same command line fail to honor the HSTS policy
- The attacker intercepts the downgraded HTTP traffic, capturing sensitive information such as authentication credentials, session tokens, or confidential data
No authentication is required to exploit this vulnerability, and no user interaction beyond normal curl usage is needed.
Detection Methods for CVE-2023-23914
Indicators of Compromise
- Unexpected HTTP traffic to domains that should be accessed exclusively via HTTPS
- Network traffic analysis showing cleartext data transmission to HSTS-protected domains
- Log entries indicating HTTP requests to sites known to enforce HSTS policies
- curl command executions with multiple URLs where subsequent requests use HTTP instead of HTTPS
Detection Strategies
- Monitor network traffic for HTTP connections to domains that are known to enforce HSTS policies
- Implement network-based detection rules to identify cleartext transmission of sensitive headers (e.g., Authorization, Cookie) to HTTPS-only domains
- Review system logs for curl executions with multiple URL parameters
- Deploy TLS inspection capabilities to identify protocol downgrade attempts
Monitoring Recommendations
- Enable verbose logging for curl operations in production environments to track protocol usage
- Implement network segmentation and traffic analysis to detect unencrypted sensitive data flows
- Use SentinelOne's network visibility features to monitor for unexpected HTTP traffic patterns
- Establish baseline curl version inventories across the organization to identify vulnerable installations
How to Mitigate CVE-2023-23914
Immediate Actions Required
- Upgrade curl to version 7.88.0 or later immediately across all affected systems
- Audit systems for vulnerable curl versions using package managers or software inventory tools
- Review applications and scripts that may use curl with multiple URLs on a single command line
- Consider using separate curl invocations for each URL as a temporary workaround
- Update affected NetApp and Splunk products according to vendor advisories
Patch Information
The vulnerability has been addressed in curl version 7.88.0. Organizations should update to this version or later to remediate the vulnerability. For additional vendor-specific guidance, refer to:
- HackerOne Report #1813864 - Original vulnerability report
- NetApp Security Advisory NTAP-20230309-0006 - NetApp product updates
- Gentoo GLSA 202310-12 - Gentoo Linux security advisory
Workarounds
- Execute separate curl commands for each URL instead of combining multiple URLs in a single invocation
- Enforce HTTPS at the URL level by explicitly specifying https:// in all URLs rather than relying on HSTS upgrades
- Implement network-level controls to block outbound HTTP traffic to sensitive domains
- Use application-layer firewalls to enforce HTTPS-only communication for critical services
# Recommended: Use separate curl invocations instead of multiple URLs
# Instead of: curl https://example.com http://example.com/sensitive
# Use separate commands:
curl https://example.com
curl https://example.com/sensitive
# Or ensure HTTPS is explicitly specified for all URLs
curl https://example.com https://example.com/sensitive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
