curl: Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers

Summary A heap-based out-of-bounds read vulnerability exists in libcurl's HTTP/2 implementation. The onheader callback in lib/http2.c incorrectly treats header names and values provided by nghttp2 as null-terminated C-strings. Specifically, passing these pointers to curlmaprintf with the %s forma...

curl: CRLF Injection in HTTP header values allows arbitrary header injection

curl allows carriage return \r and line feed \n characters inside HTTP header values. When attacker-controlled data is used in a header value e.g., Authorization: Bearer , curl construct and sends a malformed HTTP request containing injected headers. This violates HTTP specification RFC 7320 /RFC...

curl: inconsistently Rejection Logic in file:// URLs with Authority

curl's file:// protocol handler inconsistently applies path sanitization. in reject file://../ as Bad File:// URL" but allows the same traversal when an authority/host e.g.,localhost is present file://localhost/../. this inconsistency misleads developers who rely on the bad file:// URL error for...

curl: Stack Buffer Overflow in mprintf.c formatting function (fallback path)

Summary A stack-based buffer overflow exists in mprintf.c within the outdouble function. This vulnerability affects builds where HAVESNPRINTF is undefined, forcing the use of the legacy sprintf function. The logic responsible for calculating the maximum safe precision maxprec for floating-point...

curl: MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait

Curl's MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound beyond the MQTT spec maximum of 268,435,455 bytes. A malicious server can send a PUBLISH packet claiming this maximum size but provide only minimal payload, causing curl to wait...

curl: State Isolation Failure in Multiplexed Connections (Shared Auth Context)

Vulnerability: State Isolation Failure in Multiplexed Connections Shared Auth Context Product: libcurl Affected Versions: v7.43.0 - Current v8.x - All versions supporting HTTP/2 Multiplexing Severity: CRITICAL CVSS: 9.1 1. Executive Summary A fundamental design flaw exists in libcurl's state...

Nextcloud: SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track...

curl: Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access

Summary During my manual review of the file path handling logic in curl's source code, I noticed the absence of proper validation for directory traversal sequences, which I then verified through practical testing. I discovered that curl allows unauthorized access to arbitrary files through the...

curl: Alt-Svc bypasses credential leak protection (CVE-2018-1000007)

Summary I found a bug where curl's Alt-Svc implementation fails to strip sensitive authentication headers Authorization and Cookies when remapping a connection to a different host or port. This essentially bypasses the security fix for CVE-2018-1000007. While auditing the code, I noticed that...

curl: CRLF Injection in Gopher Protocol (`lib/gopher.c`)

Control characters slip through during URL handling in curl’s Gopher setup. Though null bytes get blocked by the REJECTZERO setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks - like %0D%0A - opens room for command insertion. Because of how...

curl: HTTP Request Smuggling and SSRF via CRLF Injection in Curl_add_custom_headers

Summary: A lack of CRLF validation in Curladdcustomheaders at lib/http.c:1761 allows users to inject arbitrary HTTP headers. This violation of RFC 7230 §3.2.4 leads to HTTP Request Smuggling and potential SSRF bypass. AI Disclosure: I utilized an AI assistant to aid in the initial code analysis a...

curl: MQTT Protocol Violation & Integer Overflow in libcurl

Executive Summary Vulnerability Type: CWE-190 Component: lib/mqtt.c Function: mqttdecodelen Affected Architectures: - All architectures: Protocol non-compliance leading to stream desynchronization - 32-bit architectures: Deterministic integer overflow in length decoding libcurl does not correctly...

curl: PROTOCOL-LEVEL: Persistent UDP Amplification and Cache Poisoning via Alt-Svc Logic Flaw

Summary A structural logic flaw in the libcurl Alt-Svc header parser allows attack attributes specifically persist and max-age to "leak" from one service definition to another. We have successfully chained this logic bug with curl's HTTP/3 QUIC support to demonstrate a Persistent UDP Amplificatio...

curl: A quiet New Year wish for security researchers

Hi curl Security Team and fellow security researchers, Sorry in advance if this isn’t a traditional security report. I know your time is valuable, and I truly respect the work you all do. I just wanted to take a quiet moment to wish every security researcher here those who report issues, those wh...

curl: HTTP/2 and HTTP/3 Header Injection in curl

================================================================================ VULNERABILITY REPORT: HTTP/2 and HTTP/3 Header Injection in curl ================================================================================ VULNERABILITY TYPE: Response Header Injection / HTTP Response Splittin...

curl: SMTP CRLF Injection & Protocol Desynchronization in libcurl

Executive Summary A critical security vulnerability has been identified in libcurl's SMTP protocol handler. The vulnerability allows for SMTP Command Smuggling and Protocol Desynchronization by injecting CRLF sequences into email address fields. This can be exploited to bypass security controls,...

curl: CVE-2025-15224: libssh key passphrase bypass without agent set

A vulnerability was discovered in the libcurl libssh backend where the CURLOPTSSHAUTHTYPES option did not properly implement the CURLSSHAUTHAGENT flag. As a result, if the CURLSSHAUTHPUBLICKEY option was set, the implementation would act as if CURLSSHAUTHAGENT was always defined, allowing...

Node.js: Permission Model Bypass in realpathSync.native Allows File Existence Disclosure

Vulnerability description not provided...

curl: Proxy-Authorization header is leaked to origin server after redirect from proxied to direct connection

Summary curl leaks the Proxy-Authorization header to the origin server after following an HTTP redirect that transitions from a proxied connection to a direct connection e.g. when using --noproxy or when proxy is bypassed after redirect. This causes proxy credentials which are hop-by-hop to be se...

curl: Telnet Suboption Buffer Pointer Underflow in lib/telnet.c leads to Out-of-Bounds Read

Summary A buffer pointer underflow vulnerability exists in curl's telnet protocol handler lib/telnet.c. When processing telnet suboptions in the CURLTSSE state, the code unconditionally decrements the suboption buffer pointer by 2 subpointer -= 2, even when the CURLSBACCUM macro skips writing due...

curl: Cross‑Layer State Confusion in libcurl: Credential & Key‑Material Persistence Across Redirect / Connection Reuse Boundaries

Summary: This report describes a state‑level security invariant violation in libcurl where credential‑ or key‑related state may persist or be re‑applied across logical trust boundaries redirects, connection reuse, or scheme transitions without a formal invariant enforcing reset semantics. The iss...

curl: Heap Buffer Over-read in lib/http2.c (on_header) handling PUSH_PROMISE frames

Summary: I have discovered a Heap Buffer Over-read vulnerability in lib/http2.c within the onheader callback function. When processing HTTP/2 PUSHPROMISE frames, the code incorrectly uses the %s format specifier on raw pointers provided by nghttp2. According to nghttp2 documentation, the name and...

curl: WebSocket Logic Error: Control Frame (PING/PONG) Starvation causes Connection Drop (DoS) during large transfers

Summary: I have discovered a logic flaw in lib/ws.c regarding the handling of WebSocket Control Frames PING/PONG. According to RFC 6455, Control Frames should be processed as soon as possible, even in the middle of fragmented data frames, to maintain connection state Keep-Alive. However, libcurl...

curl: CRLF Injection / Protocol Smuggling in libcurl via CURLOPT_USERNAME (IMAP)

Summary: I have discovered a CRLF injection vulnerability in the IMAP protocol implementation of libcurl. The vulnerability exists because the imapatom function in lib/imap.c fails to properly sanitize or quote Carriage Return \r and Line Feed \n characters when processing the CURLOPTUSERNAME...

Nextcloud: Unauthenticated SSRF via Public Reference API -Sharing Token Bypass

Vulnerability description not provided...

curl: HTTP/3 Protocol Smuggling and Header Injection via CRLF in QPACK value conversion

A fundamental design flaw exists in how libcurl handles HTTP/3 QUIC response headers across all supported backends ngtcp2, quiche, openssl-quic. The vulnerability stems from the unsafe transcoding of binary QPACK headers HTTP/3 into the textual HTTP/1.1 format used internally by curl's pipeline...

curl: Security hardening: missing integer overflow check in curl_load_library()

Summary A missing integer overflow check was identified in lib/systemwin32.c::curlloadlibrary when calculating the buffer size for a DLL path. On 32-bit Windows builds, the unchecked size calculation can wrap around, resulting in an undersized heap allocation followed by unbounded string copies v...

curl: CVE-2025-15079: libssh global knownhost override

A vulnerability was discovered in libssh where the SSHOPTIONSGLOBALKNOWNHOSTS option was used to specify a global knownhosts file. If the host was not found in the file specified by SSHOPTIONSKNOWNHOSTS, the global file was checked, potentially allowing any host identities specified in the defaul...

curl: Protocol Smuggling / CRLF Injection via Gopher Protocol allows Arbitrary Command Injection

Summary: I have discovered that the Gopher protocol implementation in curl fails to properly sanitize newline characters %0d%0 in the selector path. This allows an attacker to inject arbitrary TCP commands when curl connects to a target server via gopher://. This vulnerability enables Protocol...

curl: Integer Overflow in `curl_easy_escape()` may lead to heap buffer overflow and stack memory disclosure on 32-bit platforms

Disclaimer Both the confirmation, and reporting of this vulnerability used AI assistance. Nonetheless, I manually reviewed all of the reported results, including its reproduction steps and source code. Summary The curleasyescape function in lib/escape.c contains an integer overflow vulnerability...

LinkedIn: Session Cookie Leakage via Static Header Field in WebViewerFragment

A vulnerability was identified in the "WebViewerFragment" that could lead to the leakage of the user's cookies. The root cause was a static field "CUSTOMHEADERS" that persisted cookies across different URL loads, allowing an attacker to steal the victim's session cookies. The vulnerability was...

curl: HAProxy Connection Reuse leads to IP Spoofing and mTLS Context Smuggling

Executive Summary libcurl fails to respect the CURLOPTHAPROXYCLIENTIP configuration when reusing existing connections. Due to a missing check in the connection pooling logic, libcurl indiscriminately reuses a TCP/TLS connection established with a specific identity IP A for subsequent requests...

curl: Public-suffix cookie injection when libpsl is disabled

Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...

curl: libcurl WebSocket handshake accepts any Sec-WebSocket-Accept

Summary: libcurl upgrades to WebSocket without validating Sec-WebSocket-Accept, allowing a spoofed 101 response to complete the handshake and inject frames; AI assistance was used to draft this report. Steps to Reproduce: 1. Clone and build curl from source: git clone --depth=1...

Node.js: TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak

A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate...

Revive Adserver: [revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter

Vulnerability description not provided...

curl: Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes

Summary A recent migration of the Digest authentication parsing logic to the curlxstr strparse API introduced two functional parsing regressions in lib/vauth/digest.c. 1. Optional Whitespace OWS Handling The current implementation fails to skip optional whitespace after comma delimiters in...

curl: A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes.

In lib/url.c, the detectproxy function uses a fixed-size buffer, proxyenv20, to construct proxy environment variable names e.g., httpproxy. However, the curl URL parser lib/urlapi.c allows protocol schemes up to 40 characters MAXSCHEMELEN. When a protocol scheme longer than 12 characters is used,...

curl: Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd)

During a review of curl's handling of response decompression, it was noticed that no limit exists on the final uncompressed data volume from compressed HTTP replies. Instead of setting constraints, the current design allows indefinite expansion during processing. This absence of limits could lead...

Revive Adserver: Reflected XSS in banner-acl.php and channel-acl.php via executionorder

Vulnerability description not provided...

curl: File URL UNC Path Access (Windows SSRF)

Vulnerability Details - CVSSv3: 7.5 High - Windows only - File: lib/urlapi.c:974-1030 - Issue: Windows file:// URLs accept UNC paths to remote servers - Impact: SSRF, unauthorized network file access, credential theft Vulnerable Code c // lib/urlapi.c:974-1030 ifptr0 != '/' &&...

curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response

================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...

curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response

================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...

curl: Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS

Summary: A heap-based buffer overflow exists in the AmigaOS-specific DNS resolution function Curlipv4resolver located in lib/amigaos.c. The function uses gethostbynamer with a fixed-size heap buffer CURLHOSTENTSIZE and performs incorrect pointer arithmetic when calculating the data buffer offset...

Revive Adserver: Reflected XSS in afr.php

Vulnerability description not provided...

curl: Certificate Pinning Bypass with wolfSSL backend over HTTP/3

Summary: A security feature bypass exists in libcurl when built with the wolfSSL backend and HTTP/3 support. The Certificate Pinning feature --pinnedpubkey is silently ignored if the user also disables peer verification -k or --insecure . This behavior is inconsistent with other backends like...

Basecamp: Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

A vulnerability was discovered where unauthenticated users could access private files and file previews on the application through Active Storage URLs. This vulnerability allowed information disclosure, as the files and previews could be accessed without any authentication or authorization checks...

curl: Heap Overflow in cURL AmigaOS Socket Implementation

Buffer Overflow in cURL AmigaOS Socket Implementation Report Metadata - Report ID: H1-CURL-AMIGAOS-001 - Report Title: Heap Buffer Overflow in Curlipv4resolver in AmigaOS Socket Backend - Component: /home/el-ha9/curl/lib/amigaos.c - Curlipv4resolver function - Affected Versions: All cURL versions...

curl: Curl Alt-Svc Parser Stack Buffer Overflow

cURL Alt-Svc Parser Stack Buffer Overflow Vulnerability Analysis In Simple Terms A critical security flaw was discovered in cURL versions 7.64.0-7.89.0 that allows attackers to run malicious code on your system by exploiting how cURL processes certain HTTP responses. When cURL receives a speciall...

Node.js: Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)

A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket UDS connections to bypass network restrictions when --permission was enabled. Even without --allow-net, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking t...