[alkonaut]

But what does a “typical” attack on a libcurl vuln look like? Unlike a server process attack, wouldn’t curl be required to be directed to the attacker’s malicious content?

So the vulnerable systems are those where an attacker can craft an endpoint where curl downloads data?

Isn’t the lucky circumstance here that most systems with libcurl don’t use it and among those who do, an even tinier subset will allow an attacker to point it anywhere (e.g downloads from an url the attacker decides)?

[Fatnino]

Maybe it's a bug in how curl checks certificates.

So a victim behind a hostile AP might be redirected to a malicious site masquerading as a known legit site and when the bad site presents a maliciously crafted bogus certificate curl doesn't notice.

[alkonaut]

True, there are probably ways that could make this more severe if it's related to that kind of thing. And it would need to be on that level to come close to an attack of the kind that the log4j debacle was.