A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-9681

CVE-2024-9681: Haxx Curl HSTS Cache Corruption Vulnerability

CVE-2024-9681 is an HSTS cache corruption flaw in Haxx Curl that causes subdomain expiry times to incorrectly overwrite parent domain cache entries. This post covers technical details, affected versions, and mitigation steps.

Published: January 28, 2026

CVE-2024-9681 Overview

CVE-2024-9681 is an improper comparison vulnerability in curl's HTTP Strict Transport Security (HSTS) cache implementation. When curl is configured to use HSTS, the expiry time for a subdomain might incorrectly overwrite a parent domain's cache entry, causing the HSTS policy to end sooner or later than intended. This flaw affects applications that enable HSTS, use URLs with the insecure HTTP:// scheme, and perform transfers with both subdomain hosts (e.g., x.example.com) and their parent domains (e.g., example.com).

The vulnerability is triggered when a subdomain responds with Strict-Transport-Security: headers, causing the subdomain's expiry timeout to "bleed over" and incorrectly set the expiry for the parent domain in curl's HSTS cache. This can result in HTTP accesses to the parent domain being converted to HTTPS for a different period than originally specified by the server, or cause premature expiration of the parent's HSTS entry, potentially switching traffic back to insecure HTTP earlier than intended.

Critical Impact

HSTS cache manipulation could result in premature downgrade from HTTPS to insecure HTTP connections, exposing users to man-in-the-middle attacks and data interception.

Affected Products

  • haxx curl (all versions prior to patch)

Discovery Timeline

  • 2024-11-06 - CVE-2024-9681 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-9681

Vulnerability Analysis

This vulnerability stems from an improper comparison issue (CWE-697) in curl's HSTS cache management logic. The HSTS feature is designed to enforce secure HTTPS connections for domains that have previously indicated support via the Strict-Transport-Security header. However, when processing HSTS headers from subdomain responses, curl fails to properly isolate cache entries between subdomains and their parent domains.

The bug requires specific conditions to manifest: the HSTS cache must already contain entries for the domains involved (either populated manually or through previous HTTPS accesses), and the application must make requests to both a subdomain and its parent domain using insecure HTTP URLs. When these conditions are met, the subdomain's HSTS expiry time can overwrite the parent domain's cache entry.

The practical impact is two-fold. First, if a parent domain stops supporting HTTPS at its intended expiry time but curl has recorded a longer timeout from a subdomain, subsequent HTTP requests will incorrectly attempt HTTPS and fail. Second, if the subdomain's expiry is shorter, curl may prematurely switch back to insecure HTTP, eliminating the security benefits of HSTS and potentially exposing traffic to interception.

Root Cause

The root cause is an improper comparison flaw (CWE-697) in curl's HSTS cache lookup and update logic. When storing HSTS expiry information, curl incorrectly matches subdomain entries against parent domain cache keys, allowing expiry times to cross domain boundaries. This comparison error violates the domain isolation principles that HSTS relies upon for security.

Attack Vector

This vulnerability has a network-based attack vector that requires an attacker to be in a position to serve HSTS headers from a subdomain. An attacker controlling a subdomain (or able to inject HSTS headers into subdomain responses) can manipulate the HSTS expiry time for the parent domain. This could be exploited to:

  1. Force premature HSTS expiration on a parent domain, enabling downgrade attacks
  2. Extend HSTS expiry inappropriately, causing connection failures if the parent domain stops HTTPS support
  3. Create denial-of-service conditions by manipulating cache timing

The attack requires no user interaction beyond normal browsing activity and exploits the trust relationship between domains and subdomains in the HSTS implementation.

Detection Methods for CVE-2024-9681

Indicators of Compromise

  • Unexpected HSTS cache entries with expiry times that don't match server-specified values
  • Connection failures to parent domains that recently supported HTTPS
  • Anomalous HTTP traffic to domains that should be HSTS-protected
  • Unexplained downgrades from HTTPS to HTTP for previously secure connections

Detection Strategies

  • Monitor curl version deployments across infrastructure and flag unpatched instances
  • Implement network monitoring to detect unexpected HTTP connections to HSTS-protected domains
  • Audit HSTS cache files for inconsistencies between subdomain and parent domain expiry times
  • Review application logs for connection failures related to HTTPS enforcement

Monitoring Recommendations

  • Deploy network security monitoring to detect potential downgrade attacks on HSTS-protected domains
  • Implement alerting for curl library version checks in CI/CD pipelines
  • Monitor outbound connections for HTTP traffic to domains expected to use HSTS
  • Review web server access logs for unusual patterns of HTTP vs HTTPS requests

How to Mitigate CVE-2024-9681

Immediate Actions Required

  • Update curl to the latest patched version addressing CVE-2024-9681
  • Audit applications using libcurl with HSTS enabled to assess exposure
  • Consider temporarily disabling HSTS in curl for critical applications until patching is complete
  • Review HSTS cache contents for any signs of manipulation

Patch Information

Patches for this vulnerability are available from the curl project. Organizations should update to the latest curl release that addresses CVE-2024-9681. Detailed patch information and security advisories can be found at the official curl CVE-2024-9681 documentation. Additional details are available via the HackerOne report and the NetApp Security Advisory.

Workarounds

  • Disable HSTS support in curl using --no-hsts flag if HTTPS enforcement can be handled at network layer
  • Avoid mixed subdomain and parent domain requests in the same curl session when using HSTS
  • Implement certificate pinning as an alternative to HSTS for critical connections
  • Use explicit HTTPS URLs throughout applications rather than relying on HSTS upgrades
bash
# Disable HSTS in curl as a temporary workaround
curl --no-hsts https://example.com/resource

# Clear HSTS cache to remove potentially corrupted entries
rm ~/.curl-hsts

# Force HTTPS explicitly without relying on HSTS
curl --proto '=https' https://example.com/resource

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechCurl
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability0.58%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-697
  • Technical References
  • Full Disclosure April 10, 2025
  • Full Disclosure April 11, 2025
  • Full Disclosure April 12, 2025
  • Full Disclosure April 13, 2025
  • Full Disclosure April 4, 2025
  • Full Disclosure April 5, 2025
  • Full Disclosure April 8, 2025
  • Full Disclosure April 9, 2025
  • NetApp Security Advisory NTAP-20241213-0006
  • Vendor Resources
  • Curl CVE-2024-9681 Documentation
  • Curl CVE-2024-9681 JSON Data
  • HackerOne Report #2764830
  • OpenWall OSS-Security Post
  • Related CVEs
  • CVE-2025-15224
  • CVE-2025-15079
  • CVE-2025-14819
  • CVE-2025-14524
  • CVE-2025-14017
  • CVE-2025-13034
  • CVE-2025-5399
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use