| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 06:28:47 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"ac1cb6c7981c25d6b0e54b1f5ec4c19e"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=rqOIvrNeRYziUO1GXRYiK1EQXGKrA4B0T8Lr6rEqhwkXWByDy1BXefLN43eU98Emq3aCdYlwmdUnvcUMF6t3bN5jjQPqsoSiwlPtUXvNMfGoH65IaVq8NZZoD%2FSN7JtkD8GF31jun4AK0amjRWT3FU%2BQj16UWjTgua3M4WIBLIYdTQvqvg4wOjgrMzqxg0bXWCeMyWM%2B%2FqxQmWdJlkRr4DNSEm8NxJleL3n%2FWZOrgSa67Tc0vMt3vgGPCMNMdg6VxHQTmac2fwwU5IYfEwjm7Q%3D%3D--SLVcw90%2BG4n27tgF--eUBNOj6FIN5E6ypfUrBhTA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.556122267.1753943327; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 06:28:47 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 06:28:47 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: C884:FA5FC:407F0D:53ADE7:688B0D1F
When curl is asked to use HSTS, the expiry time for a... · CVE-2024-9681 · GitHub Advisory Database · GitHub
Skip to content
Navigation Menu
CVE-2024-9681
{{ message }}
When curl is asked to use HSTS, the expiry time for a...
Moderate severity
Unreviewed
Published
Nov 6, 2024
to the GitHub Advisory Database
•
Updated Dec 13, 2024
Description
Published by the National Vulnerability Database
Nov 6, 2024
Published to the GitHub Advisory Database
Nov 6, 2024
Last updated
Dec 13, 2024
Severity
Moderate
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS score
(57th percentile)
Weaknesses
Weakness CWE-697
Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. Learn more on MITRE.CVE ID
CVE-2024-9681
GHSA ID
GHSA-g337-g667-mjvw
Source code
No known source code
Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.
Loading
Checking history
See something to contribute?
Suggest improvements for this vulnerability.
You can’t perform that action at this time.
When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.
This affects curl using applications that enable HSTS and use URLs with the
insecure
HTTP://scheme and perform transfers with hosts likex.example.comas well asexample.comwhere the first host is a subdomainof the second host.
(The HSTS cache either needs to have been populated manually or there needs to
have been previous HTTPS accesses done as the cache needs to have entries for
the domains involved to trigger this problem.)
When
x.example.comresponds withStrict-Transport-Security:headers, thisbug can make the subdomain's expiry timeout bleed over and get set for the
parent domain
example.comin curl's HSTS cache.The result of a triggered bug is that HTTP accesses to
example.comgetconverted to HTTPS for a different period of time than what was asked for by
the origin server. If
example.comfor example stops supporting HTTPS at itsexpiry time, curl might then fail to access
https://example.comuntil the(wrongly set) timeout expires. This bug can also expire the parent's entry
earlier, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.
References