CVE-2024-9681

When curl is asked to use HSTS, the expiry time for a subdomain might<br /> overwrite a parent domain&amp;#39;s cache entry, making it end sooner or later than<br /> otherwise intended.<br /> <br /> This affects curl using applications that enable HSTS and use URLs with the<br /> insecure `HTTP://` scheme and perform transfers with hosts like<br /> `x.example.com` as well as `example.com` where the first host is a subdomain<br /> of the second host.<br /> <br /> (The HSTS cache either needs to have been populated manually or there needs to<br /> have been previous HTTPS accesses done as the cache needs to have entries for<br /> the domains involved to trigger this problem.)<br /> <br /> When `x.example.com` responds with `Strict-Transport-Security:` headers, this<br /> bug can make the subdomain&amp;#39;s expiry timeout *bleed over* and get set for the<br /> parent domain `example.com` in curl&amp;#39;s HSTS cache.<br /> <br /> The result of a triggered bug is that HTTP accesses to `example.com` get<br /> converted to HTTPS for a different period of time than what was asked for by<br /> the origin server. If `example.com` for example stops supporting HTTPS at its<br /> expiry time, curl might then fail to access `http://example.com` until the<br /> (wrongly set) timeout expires. This bug can also expire the parent&amp;#39;s entry<br /> *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier<br /> than otherwise intended.