The maintainers of curl have announced that they will release a new version today, October 11 2023. In the 8.4.0 release, they fixed CVE-2023-38545: SOCKS5 heap buffer overflow.
You might be wondering which version of curl you are running. In PHP this is easy to do. The builtin curl_version function gives you all information you need.
Use it like this:
curl_version();
The return value will be an array with these details:
Array(16) {
["version_number"]=> int()
["age"]=> int()
["features"]=> int()
["ssl_version_number"]=> int()
["version"]=> string() "x.x.x"
["host"]=> string() "host"
["ssl_version"]=> string() ""
["libz_version"]=> string() ""
["protocols"]=> array() {}
["ares"]=> string() ""
["ares_num"]=> int()
["libidn"]=> string() ""
["iconv_ver_num"]=> int()
["libssh_version"]=> string() ""
["brotli_ver_num"]=> int()
["brotli_version"]=> string() ""
The version
index will give you the version of curl
itself. Anything below 8.4.0
is vulnerable to this specific problem.
Whether or not your system is affected by this specific vulnerability also depends on your specific curl configuration. The way I read it, you are only affected if you have configured a SOCKS5 hostname or a (pre)proxy with a SOCKS5 schema.
Update: 2023-10-13: This article explains nicely which configurations are affected, the default configuration is not.