libcurl vuln

[Sharyie]

This package points to an old ref of libcurl related to https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/.

Could you update it?

[nktnet1]

@Sharyie your link sends us to "https://github.com/JCMais/node-libcurl/issues/url" when clicked on, so I'll leave the raw text to the blog post here:

• https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl

P.S. Snyk security also picked up on these two vulnerabilities:

1. Heap-based Buffer Overflow (high, 7.7)
   • https://security.snyk.io/vuln/SNYK-JS-NODELIBCURL-5933251
2. External Control of File Name or Path (low, 3.7)
   • https://security.snyk.io/vuln/SNYK-JS-NODELIBCURL-5933252

[JCMais]

I will try to start the upgrade process this weekend, however updating to 8.4 will take some time, so no promises here.

For now, my advice would be to follow the recommendations in the advisory.