A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Related CVEs

CVE-2020-8284

Key Information

GHSA ID

GHSA-69rc-qfx4-h683

Published

May 24, 2022 5:36 PM

Last Modified

March 27, 2024 6:32 PM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.