GHSA-c68q-h477-5646HighCVSS 7.5

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper...

Published
July 3, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

🔗 References (5)