CVE-2023-27535 Overview
CVE-2023-27535 is an authentication bypass vulnerability in libcurl versions prior to 8.0.0 that affects the FTP connection reuse feature. The vulnerability occurs because the connection pool matching logic fails to properly validate certain FTP-specific settings, potentially allowing wrong credentials to be used during subsequent file transfers. This flaw can lead to unauthorized access to sensitive information when connections are improperly reused.
Critical Impact
Applications using libcurl for FTP transfers may inadvertently use incorrect credentials due to overly permissive connection reuse matching, potentially exposing sensitive data to unauthorized parties.
Affected Products
- Haxx libcurl (versions prior to 8.0.0)
- Fedora 36
- Debian Linux 10.0
- NetApp Active IQ Unified Manager (VMware vSphere)
- NetApp ONTAP 9
- NetApp H300S, H500S, H700S, H410S (firmware and hardware)
- Splunk Universal Forwarder
Discovery Timeline
- 2023-03-30 - CVE-2023-27535 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2023-27535
Vulnerability Analysis
The vulnerability resides in libcurl's connection pooling mechanism, which is designed to improve performance by reusing established connections for subsequent transfers that match the same configuration. However, the implementation contains a flaw where certain FTP-specific configuration options are not properly included in the connection matching checks.
Specifically, the following CURLOPT settings are not validated during connection reuse matching:
- CURLOPT_FTP_ACCOUNT - FTP account string for ACCT command
- CURLOPT_FTP_ALTERNATIVE_TO_USER - Alternative USER command string
- CURLOPT_FTP_SSL_CCC - Clear Command Channel mode setting
- CURLOPT_USE_SSL - SSL/TLS requirement level
Because these settings are excluded from the configuration comparison, connections with different security or authentication requirements may be incorrectly matched and reused. This can result in a transfer being performed with credentials or security settings from a previous, unrelated connection.
The vulnerability is classified under CWE-305 (Authentication Bypass by Primary Weakness) and CWE-287 (Improper Authentication), reflecting the core issue of authentication controls being circumvented due to improper validation logic.
Root Cause
The root cause of CVE-2023-27535 lies in incomplete configuration matching within libcurl's connection reuse logic. When libcurl stores connections in its connection pool for potential reuse, it compares incoming transfer requests against existing pooled connections to find a suitable match. The matching algorithm checks various connection parameters to ensure compatibility, but the developers inadvertently omitted several FTP-specific options from these checks.
This oversight means that connections established with different FTP account credentials, alternative user strings, SSL/TLS requirements, or Clear Command Channel settings can be incorrectly identified as matching a new request. The connection pool then provides a connection configured for one set of credentials to a transfer that requires different credentials.
Attack Vector
Exploitation of this vulnerability requires specific conditions to be present. An attacker would need to influence the order or timing of FTP connections made by an application using a vulnerable version of libcurl. The attack scenario involves:
- A legitimate connection is established to an FTP server with specific credentials and stored in the connection pool
- A subsequent transfer request is made that should use different credentials or security settings
- Due to the incomplete matching logic, the pooled connection is reused instead of establishing a new connection with the correct credentials
- The transfer proceeds with the wrong authentication context, potentially granting access to resources the actual credentials should not have access to, or exposing data to an unintended recipient
This vulnerability requires network access and specific timing conditions to exploit, making it more complex to weaponize but potentially impactful in multi-tenant or shared library environments where different credential sets are used for different operations.
Detection Methods for CVE-2023-27535
Indicators of Compromise
- Unexpected FTP authentication success events where failures were expected based on application logic
- Log entries showing mismatched credentials being used for FTP transfers
- FTP transfers completing successfully despite SSL/TLS configuration mismatches
- Connection pool statistics showing abnormally high reuse rates for FTP connections
Detection Strategies
- Monitor FTP server access logs for authentication anomalies where credentials do not match expected patterns
- Implement application-level logging to track credential usage per FTP transfer and compare against connection pool activity
- Deploy network monitoring to detect unencrypted FTP traffic when SSL/TLS should be enforced due to CURLOPT_USE_SSL bypass
Monitoring Recommendations
- Enable verbose libcurl logging in development and staging environments to observe connection reuse behavior
- Configure FTP servers to log detailed authentication events including account and alternative user commands
- Implement alerting on SSL/TLS downgrade events in FTP communications monitored by network security tools
How to Mitigate CVE-2023-27535
Immediate Actions Required
- Upgrade libcurl to version 8.0.0 or later, which includes the fix for this vulnerability
- Audit applications using libcurl for FTP transfers with multiple credential sets or varying security requirements
- Consider disabling connection reuse for FTP transfers by setting CURLOPT_FRESH_CONNECT until patching is complete
- Review and update all affected downstream products including Splunk Universal Forwarder and NetApp components
Patch Information
The vulnerability has been addressed in libcurl version 8.0.0 and later. Organizations should update to the latest stable release of libcurl available for their platform. Multiple Linux distributions have released patches, including Debian (see Debian LTS Announcement April 2023) and Fedora (see Fedora Package Announcement). NetApp customers should refer to NetApp Security Advisory NTAP-20230420-0010 for product-specific guidance. Additional details are available in the Gentoo GLSA 202310-12 advisory and the original HackerOne Report #1892780.
Workarounds
- Set CURLOPT_FRESH_CONNECT to 1L to force new connections for each transfer, bypassing the vulnerable connection reuse logic
- Disable connection pooling entirely using CURLOPT_MAXCONNECTS set to 0 for security-sensitive FTP operations
- Implement application-level connection management that segregates connections by credential set rather than relying on libcurl's built-in pooling
# Configuration example - Force fresh connections in curl command line
curl --no-keepalive ftp://server/resource
# In application code using libcurl API:
# curl_easy_setopt(curl, CURLOPT_FRESH_CONNECT, 1L);
# curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1L);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
