206 matches found
Credential leak on redirect
curl follows HTTPS redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host...
OCSP stapling bypass with GnuTLS
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error tha...
URL request injection
When libcurl sends a request to a server via an HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those are sent along to the proxy too, which allows the program to for example send a separate HTTP request injected...
HSTS bypass via IDN
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL uses...
netrc and default credential leak
When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare...
TLS certificate check bypass with mbedTLS/PolarSSL
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend. The documentation for mbedTLS and PolarSSL wrongly says that...
IP address wildcard certificate validation
libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. RFC 2818 covers the requirements for matching Common Names CNs and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in th...
Reusing connections with wrong client cert
libcurl did not consider client certificates when reusing TLS connections. libcurl supports reuse of established connections for subsequent requests. It does this by keeping a few previous connections "alive" in a connection pool so that a subsequent request that can use one of them instead of...
wrong proxy connection reuse with credentials
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection...
cross-proxy Digest auth state leak
Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...
incomplete mTLS config matching in conn reuse
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS...
token leak with redirect and netrc
When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with eithe...
bearer token leak on cross-protocol redirect
When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...
connection reuse ignores TLS requirement
A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text via IMAP, SMTP, or POP3, a subsequent request to that same host bypasses the TLS requirement and instead transm...
stale custom cookie host causes cookie leak
Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...
FTP wildcard stack overflow
libcurl offers a wildcard matching functionality, which allows a callback set with CURLOPTCHUNKBGNFUNCTION to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns...
curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J --remote-header-name and -i --include in the same command line. The command line tool offers the -J option that saves a remote file using the filename present in the Content-Disposition: response header. curl then...
FTP Server Response Buffer Overflow
When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer...
UAF after pause in socket callback
Calling curleasypause within the event-based CURLMOPTSOCKETFUNCTION callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed...
IDN wildcard match
curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN International Domain...
bad reuse of HTTP Negotiate connection
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...
No QUIC certificate pinning with wolfSSL
libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...
Protocol downgrade required TLS bypassed
A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server --ssl-reqd on the command line or CURLOPTUSESSL set to CURLUSESSLCONTROL or CURLUSESSLALL with libcurl. This requirement could be bypassed if the server would return a properly crafted but...
UAF and double free in MQTT sending
When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again...
Wrong content via Metalink not discarded
When curl is instructed to download content using the Metalink feature, the contents is verified against a hash provided in the Metalink XML file. The Metalink XML file points out to the client how to get the same content from a set of different URLs, potentially hosted by different servers and t...
Windows DLL hijacking
libcurl would load Windows system DLLs in a manner that may make it vulnerable to a DLL hijacking aka binary planting attack in certain configurations. libcurl has a unified code base that builds and runs on a multitude of different versions of Windows. To make that possible, when libcurl is buil...
sensitive HTTP server headers also sent to proxies
libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPTHTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is sent to the prox...
wrong reuse of HTTP Negotiate connection
libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...
gzip integer overflow
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...
ASN.1 date parser overread
libcurl's ASN1 parser code has the GTime2str function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen getting performed on a pointer to a heap buffer area that i...
TELNET stack contents disclosure again
curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...
RTSP RTP buffer over-read
curl can be tricked into copying data beyond end of its heap based buffer. When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be...
HTTP authentication leak in redirects
curl might leak authentication data to third parties. When asked to send custom headers in its HTTP requests, curl sends that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the...
curl escape and unescape integer overflows
The four libcurl functions curlescape, curleasyescape, curlunescape and curleasyunescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The functions having names without "easy" being the deprecated versions of the others...
lingering HTTP credentials in connection reuse
libcurl can wrongly send HTTP credentials when reusing connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPTUSERPWD for example. Name and password. Like all other libcurl options the credentials are sticky and are...
Authentication Buffer Overflows
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation and for an FTP server to overflow the client during krb4 negotiation. The announcement of this flaw w...
OCSP stapling bypass with Apple SecTrust
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...
WebSocket endless loop
Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...
freeing stack buffer in utf8asn1str
libcurl's ASN1 parser has this utf8asn1str function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free on a 4 byte local stack buffer. Most modern malloc implementations detect this error and immediately abort...
SOCKS5 heap buffer overflow
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname ...
SSH connection too eager reuse still
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were...
CURLOPT_SSLCERT mix-up with Secure Transport
libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command line tool. When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...
Metalink download sends credentials
When curl is instructed to get content using the Metalink feature, and a user name and password are used to download the Metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl downloads or tries to download the contents from. Often contrar...
TLS 1.3 session ticket proxy host mix-up
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote serve...
Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the hostname before it resolves it, potentially leaking the partial password over the network and to the DNS servers. libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP...
Windows OpenSSL engine code injection
A non-privileged user or program can put code and a config file in a known non-privileged path under C:/usr/local/ that makes curl automatically run the code as an OpenSSL "engine" on invocation. If that curl is invoked by a privileged user it can do anything it wants. This flaw exists in the...
SSL CBC IV vulnerability
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulnerability has been identified CVE-2011-3389 aka the "BEAST" attack and is addressed by OpenSSL already as they have made a workaround to mitigate the problem. When doing so, they figured out...
wrong reuse of SMB connection
libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...
use after free in SMB connection reuse
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory...
broken TLS options for threaded LDAPS
When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...