curl CVE-2024-9681 HSTS subdomain overwrites parent cache entry

Key Information Vulnerability Description CVE ID: CVE-2024-9681 Vulnerability Name: HSTS subdomain overwrites parent cache entry Description: When curl is instructed to use HSTS, the expiration time of a subdomain may overwrite the cache entry for its parent domain, causing it to expire prematurely or be delayed unexpectedly. Impact Affects scenarios where curl uses HSTS, particularly when a subdomain uses an insecure scheme and communicates with hostnames such as and (where the first is a subdomain of the second). When responds with a header, this vulnerability may cause the subdomain’s expiration time to be prematurely applied and set for the parent domain in curl’s HSTS cache. As a result, HTTP access to may be redirected to HTTPS, but within a time range that differs from the original server’s intended duration. If stops supporting HTTPS after its actual expiration, curl may attempt to access after an incorrectly set expiration time, leading to an unintended switch back to HTTPS over insecure HTTP. Information When triggered, this could represent a potential secondary DoS security issue, especially if HTTPS access is attempted and no longer works, or if plaintext data transmission needs protection. However, if is intentionally configured for HSTS as described, the server should expect clients to attempt HTTPS upgrades outside the HSTS-defined time window. Failure scenarios involve attempts to access a domain using plaintext HTTP. Since plaintext HTTP is an insecure protocol, applications should not rely on or trust such responses, which reduces the severity of the issue. Even without this vulnerability, servers occasionally set HSTS headers while HTTPS functionality is problematic — this is a scenario that does not require curl to handle; applications should have logic to manage such cases. Applications can simply bypass this by disabling HSTS. This vulnerability is not considered a C programming error (unlikely to be avoided without using C). The flaw also affects the curl command-line tool. Affected Versions Affected versions: curl 7.74.0 to 8.10.1 Unaffected versions: curl = 8.11.0 Introduced in: https://github.com/curl/curl/commit/7385610d0c74c6a25 Fix Fixed in: https://github.com/curl/curl/commit/a94973805df96269bf Recommended Actions Immediately take one of the following actions, in order of priority: - Upgrade curl and libcurl to version 8.11.0 - Apply the patch to your version and rebuild - Avoid relying on HSTS Timeline The issue was reported to the curl project on October 7, 2024. We contacted distros@openwall on October 29, 2024. curl 8.11.0 was released on November 6, 2024, at 06:00 UTC, coordinated with this advisory. Credit Reporter: newfunction Fixer: Daniel Stenberg Thank you all!

Goal Reached Thanks to every supporter — we hit 100%!

curl CVE-2024-9681 HSTS subdomain overwrites parent cache entry