In ecology, we have the concept of an "invasive species". Of course, the species itself is not a malevolent force; typically it had a home somewhere, and it's been introduced somewhere else against its own will. But, it happens to do very well in this new place. Take the Himalayan Blackberry, a species that is constantly threatening ecosystems around where I live. It has few if any predators because herbivores around here are not prepared to eat through its massive thorns and rigid woody stems. It can very easily starve other plants out and steal their sunglight by jumping over them. In many places, it will win. or has already won. Because it is a better competitor.
But here's the thing about monocultures: they are unstable. They are vulnerable. As soon as a disease finds a way to infect the dominant species, or a new animal shows up that can eat it, or hell the monocultured species just runs out of nutrients in the soil because there's not a whole ecosystem replenishing important nutrients it consumes- they start to die.
We see this constantly in cases where the process has been accelerated by monocrop agriculture. Monocrop farming is constantly dealing with crops being incredibly brittle and vulnerable to change.
And we see this in software. A protocol is created. An idea is born. A single implementation of that idea is adapted everywhere, because it works already, so people use it. Or a single implementation is so good, that people stop using all the other ones that came before it. Or a tool becomes so complex that nobody could hope to remake it from the ground up with the resources available to them. And then people find a bug in the code. And now everyone is scared, because everyone is vulnerable.
This has happened with TLS by way of OpenSSL. With any chrome bug by way of electron, With webp by way of libwebp. With data parsers, with video codecs, chat protocols, file sharing protocols, operating systems, with many many things. Heaven forbid someone find a way to attack libcurl!
The industry and culture around technology sees re-making something that already exists as "duplicated effort", that serves no purpose. So often it happens only to get around licensing restrictions or a lack of open source code. But it serves other purposes. To reinforce the foundations. To ensure that if something is vulnerable, not everything is weakened while it adapts. To find places where the protocol was violated because the only implementation of the protocol did not notice the violation (looking at you Matrix). To provide options, to explore other ways of solving the same problem.
And to reproduce the knowledge necessary to understand these technologies in the first place. Because someone's got to maintain what we build now, and none of us last forever.
This has happened with TLS by way of OpenSSL. With any chrome bug by way of electron, With webp by way of libwebp. With data parsers, with video codecs, chat protocols, file sharing protocols, operating systems, with many many things. Heaven forbid someone find a way to attack libcurl!
GUESS WHAT, FUCKER
The one rated HIGH is probably the worst curl security flaw in a long time.
good luck to curl team. we're all counting on you.