1312213 matches found
curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication
Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...
Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)
I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...
curl: Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow
Hi all, We've found an issue in lib/urlapi.c where redirecturl reads past the end of a heap buffer when the source URL it operates on lacks a "scheme://" prefix. This is reachable through documented public APIs curlurlset when the caller mixes CURLUGUESSSCHEME with a subsequent CURLUNOGUESSSCHEME...
curl: CVE-2026-9547: SSH improper host validation
Hi all, We've found an issue in lib/vssh/libssh.c where the libssh backend maps SSHKNOWNHOSTSOTHER to CURLKHMATCHMISSING instead of CURLKHMATCHMISMATCH. libssh documents SSHKNOWNHOSTSOTHER as "The server gave us a key of a type while we had another type recorded. It is a possible attack."...
curl: Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree
Hi all, We've found an issue in lib/easy.c where curleasyduphandle shallow-copies set.priority, so the original and the duplicate end up holding two independent pointer-typed variables that both reference the same heap-allocated Curldataprionode chain. Freeing the chain from one side leaves the...
curl: CVE-2026-10536: HTTP/2 stream-dependency tree UAF
Use-after-free in curleasyreset with HTTP/2 stream-dependency tree Hi all, We've found an issue in lib/easy.c where curleasyreset bypasses dataprioritycleanup before clearing data-set, leaving the HTTP/2 stream-dependency tree with dangling pointers to the reset handle. The current curleasyreset ...
curl: CVE-2026-9079: stale proxy password leak
Product Product name: curl / libcurl Product link: https://github.com/curl/curl Suggested CWE: CWE-226: Sensitive Information in Resource Not Removed Before Reuse https://cwe.mitre.org/data/definitions/226.html; alternative CWE-200: Exposure of Sensitive Information to an Unauthorized Actor...
curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication
Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...
curl: CVE-2026-9080: UAF after pause in socket callback
Hi all, We've found a heap-use-after-free in lib/multiev.c triggered by calling curleasypause from within a CURLMOPTSOCKETFUNCTION callback. ASAN-confirmed with the self-contained reproducer below. Affected versions: 8.13.0 – 8.20.0 current. The entry-action write line 280 has been vulnerable sin...
curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write
Summary: The curl CLI's --skip-existing option performs a separate existence check before the download body is written. In the verified path, curl first calls stat on the target pathname and decides "the file does not exist, so continue", but it does not keep an fd bound to that decision. The...
curl: CVE-2026-8927: env-set cross-proxy Digest auth state leak
AI-assisted preparation note I used AI assistance to help structure and format this report, but the technical findings, PoC, and verification results are based on local testing against curl/libcurl 8.20.0. Summary I found a possible incomplete-fix variant of CVE-2026-7168 in libcurl 8.20.0. The...
Revive Adserver: PHP code injection via unexpected delivery limitation parameter
A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...
curl: CRLF Injection via Custom HTTP Headers
Summary: libcurl writes user-supplied custom headers directly into the HTTP request buffer without stripping \r\n characters. The raw input pointer origp in Curladdcustomheaders lib/http.c is serialized verbatim into the outgoing request using curlxdynaddfreq, "%s\r\n", origp instead of using the...
curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers
Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...
curl: SSL session-cache peer key omits signature_algorithms: strict-sigalg handle silently resumes a permissive sibling's session
CURLOPTSSLSIGNATUREALGORITHMS policy bypass: SSL session cache key omits sigalgs, allowing a strict-sigalg handle to resume a session negotiated under a permissive policy AI disclosure This report was prepared with the assistance of an AI coding assistant Claude. The behavioral diff pre/post patc...
AWS VDP: Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability
A vulnerability was discovered in Firecracker versions up to 1.15.1 that could allow a malicious guest to bypass protection mechanisms and perform out-of-bounds read and write operations on the virtio PCI queue. The vulnerability was caused by inconsistencies in the handling of queue activation...
Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset
Summary: A 19-byte malformed SQLite changeset passed to Node.js node:sqlite DatabaseSyncapplyChangeset causes a native NULL pointer dereference and terminates the Node.js process. Description: The built-in Node.js node:sqlite API exposes DatabaseSyncapplyChangesetchangeset, options, which accepts...
curl: NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME
Summary A NULL pointer dereference appears to exist in libcurl's URL API path when curlurlset handles a relative URL together with CURLUDEFAULTSCHEME on a CURLU handle that has host/path information but no stored u-scheme. The issue is in lib/urlapi.c inside redirecturl, where u-scheme is used in...
curl: TLS peer-verification bypass via mid-transfer ssl_config mutation
Hi all, We want to report a TLS peer-verification issue on current master. The trigger is narrow and requires a specific application usage pattern, but when it fires, a transfer that requests CURLOPTSSLVERIFYPEER=1 can reuse a TLS connection that was established with peer verification disabled...
curl: cookie: case-insensitive path comparison in replace_existing() allows cookie eviction across distinct paths
Hi all, replaceexisting in lib/cookie.c compares cookie paths case-insensitively at two sites. On case-sensitive servers, /Admin and /admin are distinct resources and are supposed to produce distinct jar entries. Because libcurl conflates them, a Set-Cookie at one path silently evicts the cookie ...