libcurl OpenSSL Partial Chain Store Policy Bypass Vulnerability

A vulnerability exists in libcurl when using OpenSSL as the TLS backend, specifically during TLS transfers with reused easy or multi handles. If the 'CURLSSLOPT_NO_PARTIALCHAIN' option is enabled, libcurl may inadvertently accept a partial trust chain from a cached CA store in memory, contrary to the user's intentions. This flaw arises because the CA cache, which is retained for up to 24 hours by default, can be reused in a way that bypasses proper certificate validation. As a result, libcurl might accept a trust chain that it would normally reject, although it still verifies certificates and returns an error if a certificate cannot be validated.

Impact

Exploiting this vulnerability could lead to improper certificate validation, allowing libcurl to accept trust chains that should be rejected.

Remediation

Users are advised to upgrade libcurl to version 8.18.0 or later. Additionally, avoid using the 'CURLSSLOPT_NO_PARTIALCHAIN' option and consider disabling CA caching by setting 'CURLOPT_CA_CACHE_TIMEOUT' to zero.