CVE-2023-38546 Overview
CVE-2023-38546 is an input validation vulnerability in libcurl that allows an attacker to insert arbitrary cookies into a running program using libcurl when a specific series of conditions are met. The flaw exists in the curl_easy_duphandle function, which is used to duplicate transfer handles. When a transfer has cookies enabled and the handle is duplicated, the cookie-enable state is cloned without cloning the actual cookies, potentially leading to unintended cookie loading from a file named none in the current working directory.
Critical Impact
Attackers can inject arbitrary cookies into applications using libcurl by placing a specially crafted file named none in the program's working directory, potentially enabling session hijacking or authentication bypass in affected applications.
Affected Products
- Haxx libcurl (vulnerable versions prior to patch)
- Apple macOS (addressed in HT214036, HT214057, HT214058, HT214063)
- Fedora Linux distributions using affected libcurl versions
Discovery Timeline
- 2023-10-18 - CVE-2023-38546 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-38546
Vulnerability Analysis
This vulnerability is an input validation flaw affecting libcurl's handle duplication mechanism. The issue arises from improper state management when duplicating transfer handles that have cookies enabled. When curl_easy_duphandle() is called on a handle with cookies enabled, the cookie state is cloned but the actual cookie data is not properly transferred. If the source handle did not read cookies from a specific file on disk, the cloned handle incorrectly stores the file name as the literal string none (four ASCII letters).
This creates a scenario where subsequent use of the cloned handle, if no explicit cookie source is set, will attempt to load cookies from a file literally named none in the current working directory. An attacker who can place such a file in the application's working directory can inject arbitrary cookies into the libcurl session.
Root Cause
The root cause lies in the curl_easy_duphandle function's handling of cookie state during handle duplication. When cloning an easy handle with cookies enabled, the function fails to properly preserve the cookie source information. Instead of maintaining a null or empty state for the cookie file path, it defaults to the literal string none. This creates an unintended file path reference that can be exploited if an attacker has write access to the application's working directory.
Attack Vector
The attack requires a specific chain of conditions to be met:
- The application must use libcurl with cookies enabled
- The application must call curl_easy_duphandle() to duplicate a transfer handle
- The original handle must not have loaded cookies from a specific file
- The attacker must be able to place a file named none in the application's current working directory
- The file must contain properly formatted cookies
While these conditions make exploitation difficult, the vulnerability could be leveraged in shared hosting environments, containerized applications with shared volumes, or systems where attackers have limited file write capabilities. The attack enables cookie injection which could lead to session manipulation or authentication bypass in web-facing applications that rely on libcurl for HTTP transfers.
Detection Methods for CVE-2023-38546
Indicators of Compromise
- Unexpected files named none appearing in application working directories
- Anomalous cookie behavior in applications using libcurl for HTTP transfers
- File access attempts to files named none from libcurl-dependent processes
Detection Strategies
- Monitor file system access patterns for reads to files named none from processes using libcurl
- Implement application-level logging to track cookie sources in libcurl-based applications
- Use file integrity monitoring on application working directories to detect unauthorized file creation
Monitoring Recommendations
- Enable audit logging for file creation events in directories where libcurl applications execute
- Monitor for unusual cookie injection patterns in HTTP traffic from affected applications
- Review application logs for unexpected cookie loading behavior after handle duplication operations
How to Mitigate CVE-2023-38546
Immediate Actions Required
- Update libcurl to the latest patched version available from your distribution
- Review applications using curl_easy_duphandle() with cookies enabled for potential exposure
- Ensure application working directories have proper access controls to prevent unauthorized file creation
- Consider explicitly setting cookie sources after handle duplication to override default behavior
Patch Information
Security patches have been released by multiple vendors. Consult the official cURL CVE-2023-38546 documentation for the complete list of affected versions and patches. Apple has addressed this vulnerability in macOS updates documented in HT214036, HT214057, HT214058, and HT214063. Debian and Fedora users should apply available security updates through their package managers.
Workarounds
- Explicitly set cookie sources using CURLOPT_COOKIEFILE after calling curl_easy_duphandle() to prevent unintended file loading
- Restrict file creation permissions in directories where libcurl applications run
- Implement application-level validation of cookie sources before HTTP transfers
- Consider running libcurl applications in isolated environments with controlled file system access
# Example: Verify libcurl version and check for vulnerable installations
curl --version | head -1
# Check if a file named 'none' exists in common application directories
find /var/www -name "none" -type f 2>/dev/null
find /opt -name "none" -type f 2>/dev/null
# Update libcurl on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade libcurl4
# Update libcurl on Fedora/RHEL systems
sudo dnf update libcurl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
