CVE-2024-6874: libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name…

CVE-2024-6874 [MEDIUM] CWE-126 curl: macidn punycode buffer overread curl: macidn punycode buffer overread libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string. A buffer overread vulnerability was found in Curl's URL API function curl_url_get(). This issue allows a remote attacker to obtain sensitive information due to a punycode buffer overread flaw. By sending a specially crafted request, an attacker can gain sensitive inf

CVE-2024-6874 [MEDIUM] CWE-125 macidn punycode buffer overread macidn punycode buffer overread FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner curl: curl Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn.microsoft.com/en-us/azure

CVE-2024-6874 [MEDIUM] CVE-2024-6874: curl - libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_g... libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.9.0-1) sid: resolved (fixed in 8.9.0-1) trixie: resolved (fixed in 8.9.0-1)

CVE-2024-6874 [MEDIUM] CVE-2024-6874: libcurl's URL API function [curl_url_get()](https://curl libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

CVE-2024-6874 [LOW] CWE-125 GHSA-chhh-4xrf-42pg: libcurl's URL API function [curl_url_get()](https://curl libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

CVE-2024-6874 [MEDIUM] CVE-2024-6874: libcurl's URL API function [curl_url_get()](https://curl libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

CVE-2024-6874 [MEDIUM] curl: stack-buffer overread during punycode conversions curl: stack-buffer overread during punycode conversions Hello, I would like to report a vulnerability here, initially reported by me to the curl project. HackerOne report: https://hackerone.com/reports/2604391 CVE: CVE-2024-6874 Advisory: https://curl.se/docs/CVE-2024-6874.html Severity: Low ## Impact When converting the domain name of a URL from/to punycode with libcurl's URL API, libcurl reads past the bounds of a stack-buffer and includes adjacent stack-memory in the conversion result. This potentially leaks pointer values. libcurl's URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function

CVE-2024-6874 [MEDIUM] CVE-2024-6874 curl: macidn punycode buffer overread CVE-2024-6874 curl: macidn punycode buffer overread libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string. Discussion: From Advisory: AFFECTED VERSIONS The vulnerable code can only be reached when curl is built to use macidn, the native IDN conversion library bundled with Apple's operating systems: macOS, iOS, ipadOS etc. Builds using other IDN backends

CVE-2024-6874 [MEDIUM] CVE-2024-6874: macidn punycode buffer overread CVE-2024-6874: macidn punycode buffer overread libcurl at commit [58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c](https://github.com/curl/curl/tree/58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c) contains a stack-buffer overread in [lib/idn.c:75](https://github.com/curl/curl/blob/58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c/lib/idn.c#L75) that can be triggered when the host of a URL is converted to punycode. The root cause of the bug is in the function `mac_idn_to_ascii()`: ```c static CURLcode mac_idn_to_ascii(const char *in, char **out) { // --- snip --- UIDNAInfo info = UIDNA_INFO_INITIALIZER; char buffer[256] = {0}; (void)uidna_nameToASCII_UTF8(idna, in, -1, buffer, sizeof(buffer), &info, &err); uidna_close(idna); if(U_FAILURE(err)) { return CURLE_URL_MALFORMAT; } else { *out = strdup(buffer); if(*