PatchSiren cyber security CVE debrief

CVE-2023-38546 Haxx CVE debrief

CVE-2023-38546 is a low-severity libcurl issue where a duplicated easy handle can inherit cookie-enabled state without the underlying cookie file source being preserved correctly. Under the specific conditions described by the vendor and NVD, a program may later try to load cookies from a local file named "none" in its current working directory. The main risk is unintended cookie injection into an application that uses libcurl with cookie support and handle duplication.

Vendor: Haxx
Product: CVE-2023-38546
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-10-18
Original CVE updated: 2026-05-12
Advisory published: 2023-10-18
Advisory updated: 2026-05-12

Who should care

Developers and operators of applications that use libcurl, especially code that calls curl_easy_duphandle while cookies are enabled or that relies on inherited handle state. Systems that run with writable current directories or unexpected local files are more exposed to the unintended cookie-load behavior.

Technical summary

According to the CVE description, libcurl duplicates easy handles via curl_easy_duphandle. If cookies are enabled at duplication time, the cookie-enabled state is cloned, but the actual cookies are not. If the source handle had not read cookies from a specific file on disk, the duplicated handle may store the cookie source as the literal value "none". Later use of that duplicated handle, without explicitly setting a cookie source, can cause libcurl to load cookies from a file named "none" in the program's current directory if such a file exists, is readable, and is in the correct cookie-file format. NVD lists affected libcurl versions from 7.9.1 up to, but not including, 8.4.0.

Defensive priority

Medium

Recommended defensive actions

Upgrade libcurl to a fixed version at or above 8.4.0.
Review all uses of curl_easy_duphandle in applications that enable cookies or inherit transfer state.
After duplicating handles, explicitly set the intended cookie source instead of relying on inherited state.
Audit deployment and runtime directories for unexpected readable files named 'none' that could be picked up by affected programs.
Validate application behavior with cookies disabled or explicitly configured when handle duplication is required.
Consult the curl advisory and NVD entry to confirm affected versions and vendor guidance for your environment.

Evidence notes

The supplied CVE description states that the issue involves cookie-enabled easy handles duplicated with curl_easy_duphandle and that a duplicated handle may later load cookies from a local file named "none" under specific conditions. The NVD metadata lists affected libcurl versions as 7.9.1 through before 8.4.0 and gives CVSS v3.1 as AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (3.7, Low). The timeline supplied here shows the CVE was published on 2023-10-18 and modified on 2026-05-12; those dates are used only as publication/metadata context, not as evidence of exploitation.

Official resources

CVE-2023-38546 CVE record
CVE.org
CVE-2023-38546 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

CVE published: 2023-10-18T04:15:11.137Z. CVE metadata last modified: 2026-05-12T11:16:13.030Z. Source publication date matches the CVE publication date in the supplied timeline.