CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-6874: macidn punycode buffer overread

Description

libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.

Classification

CVE ID: CVE-2024-6874

Affected Products

Vendor: curl

Product: curl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 38.73% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://curl.se/docs/CVE-2024-6874.json
https://curl.se/docs/CVE-2024-6874.html
https://hackerone.com/reports/2604391
http://www.openwall.com/lists/oss-security/2024/07/24/2

Timeline

2025-02-14 00:32:30 UTC
CVE

macidn punycode buffer overread