On October 4, the developers of curl announced that they would release a fix for a high severity vulnerability impacting curl and libcurl (CVE-2023-38545) with curl 8.4.0 on October 11. This vulnerability leverages a heap buffer overflow through the SOCKS5 protocol. Detailed information regarding the requirements for an environment to be vulnerable are outlined in curl’s security advisory.
Are you affected?
Based on our investigation, we did not identify any SOCKS5 usage in the GitLab.com or GitLab Dedicated environments. GitLab.com and GitLab Dedicated customers are not susceptible to this vulnerability because it does not allow for the configuration of a SOCKS5 proxy.
Self-managed customers who may be operating a SOCKS5 proxy in coordination with their GitLab application should refer to curl’s security advisory to assess their exposure to this vulnerability. This vulnerability affects libcurl versions 7.69.0 to 8.3.0. The developers of curl are encouraging all affected users to upgrade to curl version 8.4.0.
Assessing the impact to GitLab's platform, users, and customers
Upon learning of the vulnerability's existence, GitLab’s security and development teams took proactive measures to identify where curl and libcurl were leveraged across the GitLab environment. This scoping exercise allowed us to develop initial assumptions regarding the potential impact to GitLab’s platforms, users, and customers.
After the vulnerability disclosure by the developers of curl, our teams leveraged their extensive proactive scoping and investigated SOCKS5 usage across our environment through the use of options and environment variables.
GitLab prioritizes and values security. Our response to this vulnerability was conducted with the security of our platform and the security of our customers’ data as the priority. The GitLab Security team will continue monitoring the situation and will update this blog post with any important details or required actions as needed.