[GHSA-97xx-95pm-5qv6] When a protocol selection parameter option disables all...

[tjuyuxinzhang]

Updates

• Affected products
• CWEs
• References
• Source code location
• Summary

Comments
This advisory currently lacks precise upstream version boundaries and may overgeneralize affected versions across ecosystems.

According to the official curl security advisory:

https://curl.se/docs/CVE-2024-2004.html

CVE-2024-2004 affects both curl and libcurl due to a logic flaw in protocol selection handling. When a protocol selection string disables all protocols without enabling any, the default protocol set is incorrectly retained, allowing unintended protocol usage (e.g., plaintext HTTP).

Correct upstream version information:

• Affected versions: >= 7.85.0 and <= 8.6.0
• Not affected: < 7.85.0
• Fixed in: 8.7.0

The vulnerability was:

• Introduced in commit: e6f8445edef8e7996d1cfb141d6df184efef972c
• Fixed in commit: 17d302e56221f5040092db77d4f85086e8a20e0e

This issue impacts:

• curl CLI (--proto option)
• libcurl when using string-based protocol selection (CURLOPT_PROTOCOLS_STR / REDIR_PROTOCOLS_STR)

It should not be represented as affecting all historical versions or unrelated packages.

Severity remains LOW as assessed by the curl security team.

The current advisory lacks precise upstream version boundaries and may incorrectly imply broader impact.

Upstream curl explicitly defines:

• Introduced in 7.85.0
• Fixed in 8.7.0

Some data sources incorrectly mark the vulnerability as affecting all historical versions (introduced=0), which is inaccurate.

This change aligns the advisory with the official curl security advisory and ensures correct affected version range and component scope (curl/libcurl only).

[shelbyc]

👋 Hi @tjuyuxinzhang, I'm closing the PR because curl isn't in one of the GitHub Advisory Database's supported ecosystems and therefore can't be added to the set of reviewed advisories. We can't make any changes to advisories without reviewing them. Thank you for your interest in GHSA-97xx-95pm-5qv6.