The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-0853

CVE-2024-0853: Haxx Curl Auth Bypass Vulnerability

CVE-2024-0853 is an authentication bypass vulnerability in Haxx Curl that allows SSL connections to succeed despite failed OCSP stapling verification. This article covers the technical details, affected versions, and mitigation.

Published: January 28, 2026

CVE-2024-0853 Overview

CVE-2024-0853 is a certificate validation bypass vulnerability affecting curl version 8.5.0. The vulnerability occurs when curl inadvertently retains SSL session IDs in its cache even after an OCSP stapling verification failure. When a subsequent connection is made to the same hostname, curl may reuse the cached session ID, effectively bypassing the certificate revocation status check that should have prevented the connection.

This flaw is classified under CWE-295 (Improper Certificate Validation) and represents a significant security concern for applications relying on curl for secure communications with proper certificate revocation checking.

Critical Impact

Connections to servers with revoked certificates may succeed if the SSL session cache contains a valid session ID from a previous connection, undermining the security guarantees of OCSP stapling verification.

Affected Products

  • Haxx curl version 8.5.0

Discovery Timeline

  • 2024-02-03 - CVE-2024-0853 published to NVD
  • 2025-06-20 - Last updated in NVD database

Technical Details for CVE-2024-0853

Vulnerability Analysis

The vulnerability exists in curl's SSL session caching mechanism when OCSP stapling is enabled. OCSP (Online Certificate Status Protocol) stapling is a security feature where the server provides a signed, timestamped response from the Certificate Authority proving the certificate hasn't been revoked. When this verification fails, curl should reject the connection entirely and discard any associated session data.

However, in curl 8.5.0, the SSL session ID is erroneously retained in the cache even when the OCSP stapling verification fails. SSL session resumption is a TLS optimization that allows clients to skip the full handshake on subsequent connections by presenting a previously negotiated session ID. The problem arises because session resumption bypasses the certificate verification process entirely—including OCSP checking—since the session was already validated in the original handshake.

This creates a window where an attacker controlling a server with a revoked certificate could potentially establish a trusted connection if the client previously connected to that hostname before the certificate was revoked.

Root Cause

The root cause is improper handling of the SSL session cache when certificate validation fails. The session ID should be invalidated and removed from the cache whenever any part of the certificate verification chain fails, including OCSP stapling checks. The code path that handles OCSP verification failures did not properly clear the session cache entry, allowing subsequent connections to reuse the compromised session.

Attack Vector

The attack requires network access and operates through the following mechanism:

  1. The victim's curl client connects to a legitimate server and caches the SSL session ID
  2. The server's certificate is subsequently revoked (due to compromise, key exposure, etc.)
  3. An attacker obtains control of the server or performs a man-in-the-middle attack
  4. On subsequent connections, curl attempts session resumption using the cached session ID
  5. Because session resumption skips certificate verification, the OCSP stapling check that would detect the revoked certificate is bypassed
  6. The connection succeeds despite the certificate being revoked

The attack window exists while the session cache remains fresh. The integrity of subsequent communications could be compromised as the client believes it has a secure connection to a server with a valid certificate.

Detection Methods for CVE-2024-0853

Indicators of Compromise

  • Successful SSL/TLS connections to hosts where OCSP stapling verification previously failed
  • Curl verbose logs showing session resumption (SSL re-using session ID) for connections that should have fresh certificate validation
  • Unexpected session cache hits for connections to servers with known certificate issues

Detection Strategies

  • Enable curl verbose logging (-v or --verbose) to monitor SSL session behavior
  • Audit application logs for patterns indicating session reuse after certificate warnings
  • Monitor network traffic for TLS session resumption handshakes to previously problematic hosts
  • Implement certificate transparency log monitoring to detect revoked certificates in use

Monitoring Recommendations

  • Configure logging to capture all SSL/TLS handshake events and OCSP responses
  • Set up alerts for certificate revocation events affecting monitored domains
  • Review curl usage patterns in automated systems and scripts that may persist sessions
  • Monitor for connections to hosts where certificate validation has previously failed

How to Mitigate CVE-2024-0853

Immediate Actions Required

  • Upgrade curl to version 8.6.0 or later which contains the fix for this vulnerability
  • Clear any existing SSL session caches in curl-based applications
  • Audit applications that rely on OCSP stapling for certificate validation
  • Consider temporarily disabling session caching if immediate upgrade is not possible

Patch Information

The curl project has addressed this vulnerability in releases following version 8.5.0. Users should upgrade to the latest stable release to receive the fix. Detailed information about the vulnerability and patch is available in the curl.se CVE-2024-0853 Documentation.

Additional security advisories have been issued by downstream vendors:

  • NetApp Security Advisory NTAP-20240307-0004
  • NetApp Security Advisory NTAP-20240426-0009
  • NetApp Security Advisory NTAP-20240503-0012

The original vulnerability was reported via HackerOne Report #2298922.

Workarounds

  • Disable SSL session ID caching by setting CURLOPT_SSL_SESSIONID_CACHE to 0 (disabled)
  • Use --no-sessionid command-line option for curl commands
  • Implement application-level certificate validation in addition to curl's built-in checks
  • For critical applications, consider using CURLOPT_SSL_VERIFYSTATUS with fresh connections (no session reuse)
bash
# Disable SSL session ID caching in curl commands
curl --no-sessionid https://example.com

# Or programmatically via libcurl option
# CURLOPT_SSL_SESSIONID_CACHE set to 0L

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechHaxx Curl
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.16%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-295
  • Technical References
  • HackerOne Report #2298922
  • NetApp Security Advisory NTAP-20240307-0004
  • NetApp Security Advisory NTAP-20240426-0009
  • NetApp Security Advisory NTAP-20240503-0012
  • Vendor Resources
  • curl.se CVE-2024-0853 Documentation
  • curl.se CVE-2024-0853 JSON Data
  • Related CVEs
  • CVE-2026-1965: Haxx Curl Auth Bypass Vulnerability
  • CVE-2026-3784: Haxx Curl Auth Bypass Vulnerability
  • CVE-2022-43551: Haxx Curl Auth Bypass Vulnerability
  • CVE-2021-22946: Haxx Curl Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English