curl: PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary

Summary After a Digest-authenticated HTTP proxy transfer, changing only CURLOPTPREPROXY on the same libcurl easy handle does not clear stale proxy Digest/auth state. If the new SOCKS pre-proxy resolves the same HTTP proxy hostname to a different proxy endpoint, the second proxy receives a...

curl: RTSP Digest auth state leaks across origins on reused libcurl easy handle

Summary When a reused libcurl easy handle first authenticates to one RTSP origin with Digest authentication and is then switched to a different RTSP origin, libcurl can send the old origin's Digest authentication state to the new origin. The second RTSP server does not need to send a...

curl: TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix

Summary TFTP uploads ignore the configured resume offset. When a caller runs curl -C N -T file tftp://... or uses libcurl with CURLOPTUPLOAD and CURLOPTRESUMEFROM, curl should skip the first N bytes of the local source before uploading. Instead, the TFTP code sends the complete local file from by...

PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection

The fix for CVE-2022-35406 1541301 stops Burp from following a redirect when the response Content-Type/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text/plain response can smuggle the token via a...

curl: libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope

Summary: libcurl 8.20.0 ignores the server-declared HTTP Digest domain protection space for origin authentication and reuses stored Digest state too broadly on the same easy handle. After a successful Digest-authenticated request, a later request on the same easy handle can receive a preemptive...

curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy

Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...

curl: SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master

Summary: Current master reintroduces a STARTTLS connection-reuse bug in SMTP. After commit 91dcf4e610 url: urlmatchdestination fix, curl/libcurl can reuse an already-established clear-text smtp:// session for a later logical request that explicitly requires TLS via --ssl-reqd or CURLOPTUSESSL =...

curl: Low priority HSTS bypass in curl_easy_duphandle()

Summary: curleasyduphandle creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent's lifetime. This means the client using a cloned handle may...

curl: Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)

Summary: When an HTTP/1.x proxy returns a 407 with no Content-Length and no chunked transfer-encoding, lib/cf-h1-proxy.c singleheader sets ts-keepon = KEEPONDONE but never sets ts-closeconnection = TRUE. Because ts-closeconnection and conn-bits.close both stay false, the CONNECT tunnel state...

curl: CURLOPT_COOKIE leaked to cross-origin redirect target — CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path

Summary: httpcookies at lib/http.c:2532-2534 appends the value of CURLOPTCOOKIE the cookie supplied via -b to outgoing Cookie: headers without invoking Curlauthallowedtohost. As a result, when CURLOPTFOLLOWLOCATION is enabled and the initial origin issues a cross-origin redirect open redirector,...

curl: Mentioned unites are at the same time .Then we have to increase the bounty.

Summary: Once you done with the coding then we have to increase the bounty and then write the reviwe on the same Once we find the error then we have to submit the margin and find the events Affected version Use a language that is not susceptible to these issues. However, be careful of null byte...

curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )

Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...

curl: lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window

Summary: curl's generic LDAP backend lib/ldap.c does not disable automatic LDAP referral chasing, unlike lib/openldap.c, which explicitly sets LDAPOPTREFERRALS to LDAPOPTOFF. As a result, a malicious first-hop LDAP server can return a referral to an attacker-controlled second LDAP server and caus...

curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication

Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

curl: Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow

Hi all, We've found an issue in lib/urlapi.c where redirecturl reads past the end of a heap buffer when the source URL it operates on lacks a "scheme://" prefix. This is reachable through documented public APIs curlurlset when the caller mixes CURLUGUESSSCHEME with a subsequent CURLUNOGUESSSCHEME...

curl: Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree

Hi all, We've found an issue in lib/easy.c where curleasyduphandle shallow-copies set.priority, so the original and the duplicate end up holding two independent pointer-typed variables that both reference the same heap-allocated Curldataprionode chain. Freeing the chain from one side leaves the...

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

Summary: The curl CLI's --skip-existing option performs a separate existence check before the download body is written. In the verified path, curl first calls stat on the target pathname and decides "the file does not exist, so continue", but it does not keep an fd bound to that decision. The...

Revive Adserver: PHP code injection via unexpected delivery limitation parameter

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...