I don't think the comment above you is a valid perspective considering that it does not appear to be a 0-day vulnerability and there is no evidence of it being used in the wild. The information he provided is IMO not enough to craft an exploit out of. Yes, now there is a giant bullseye on cURL and maybe the bad guys will start looking hard at it, but cURL has always been a widely distributed software that needs to interact with the unsafe world (the internet), so I would imagine attackers have been looking at it for a while already. So far he hasn't revealed critical information such as when the vulnerability was introduced and exactly what area it affects, which would have helped a potential attacker narrow down the scope.
So I think it's just fear mongering to say suddenly people will craft exploits because of this notice. Like, if they are so good at finding the exploit then they probably would have found it a long time ago already given the lack of useful intel here.
So I think it's just fear mongering to say suddenly people will craft exploits because of this notice. Like, if they are so good at finding the exploit then they probably would have found it a long time ago already given the lack of useful intel here.