-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description indicates that curl allowed an unbounded number of chained HTTP compression algorithms. The provided commit (3a09fbb7f264c67c438d01a30669ce325aa508e2) directly addresses this by modifying the Curl_build_unencoding_stack function in lib/content_encoding.c. This function is responsible for parsing the Content-Encoding header and setting up the decompression stack. The patch adds a counter and a defined maximum number of encoding steps (MAX_ENCODE_STACK). If this limit is exceeded, the function now returns an error (CURLE_BAD_CONTENT_ENCODING). This directly mitigates the vulnerability by preventing an excessive number of decompression operations. Therefore, Curl_build_unencoding_stack was the function that processed the malicious input and lacked the necessary bounds checking, making it the vulnerable function.
Ongoing coverage of React2Shell