How to check the cURL version used in PHP?

By admin
The maintainers of curl have announced that they will release a new version

today, October 11 2023
DATE

. In the

8.4.0
CARDINAL

release, they fixed

CVE-2023-38545
ORG

: SOCKS5 heap buffer overflow.

You might be wondering which version of curl you are running. In

PHP
ORG

this is easy to do. The builtin curl_version function gives you all information you need.

Use it like this:

curl_version();

The return value will be an array with these details:

Array (

16
CARDINAL

) { [ "version_number" ]=> int() [ "age" ]=> int() [ "features" ]=> int() [ "ssl_version_number" ]=> int() [ "version" ]=> string() "x.x.x" [ "host" ]=> string() "host" [ "ssl_version" ]=> string() "" [ "libz_version" ]=> string() "" [ "protocols" ]=> array () {} [ "ares" ]=> string() "" [ "ares_num" ]=> int() [ "libidn" ]=> string() "" [ "iconv_ver_num" ]=> int() [ "libssh_version" ]=> string() ""

[ "brotli_ver_num" ]=> int
WORK_OF_ART

() [ "brotli_version" ]=> string() ""

The version index will give you the version of curl itself. Anything below 8.4.0 is vulnerable to this specific problem.

Whether or not your system is affected by this specific vulnerability also depends on your specific curl configuration. The way I read it, you are only affected if you have configured a

SOCKS5
PRODUCT

hostname or a (

pre)proxy
DATE

with a

SOCKS5
PRODUCT

schema.

Update:

2023-10-13
DATE

:

This article explains nicely which configurations are affected, the default configuration is not.