curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization

Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...

Nintendo: ASLR leak in Mario Kart World through LAN mode

A vulnerability was discovered in the LAN mode of Mario Kart World that allowed an ASLR leak. This vulnerability was found in the game's software...

Node.js: Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling

Summary: In Node.js' crypto module, the createDecipheriv states that "the authTagLength option defaults to 16 bytes and must be set to a different value if a different length is used." here The authentication tag's length is however not validated against that default value and can be truncated do...

curl: testing hackerone functions

hi team i am testing hackerone functions i need some help of you this is my test account can you blacklist me from your program not ban just blacklist Impact thanks...

curl: Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization

Summary A Denial of Service DoS vulnerability exists in the dedotdotify function in lib/urlapi.c that can cause excessive CPU consumption due to On² time complexity when processing URLs with malicious path patterns containing many ../ sequences. Affected Component - Component: libcurl URL API -...

IBM: Remote Code Execution identified on IBM endpoint.

A remote code execution vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated...

Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution

Vulnerability description not provided...

curl: Buffer Overflow in cURL Internal printf Function

A critical buffer overflow vulnerability exists in the curlmsprintf function in cURL's internal printf implementation. The function writes formatted output to a user-provided buffer without performing any bounds checking, allowing attackers to overflow arbitrary memory and potentially achieve...

curl: Terminal Output Not Great

Summary: No AI here, I just came across this: python import random import string from http.server import BaseHTTPRequestHandler, HTTPServer class MaliciousHandlerBaseHTTPRequestHandler: def doGETself: self.sendresponse200 self.sendheader'Content-Type', 'text/plain' randid =...

curl: Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c)

Summary: A stack-based buffer overflow exists in the wsslstrerror function of cURL's wolfSSL TLS backend. The function uses an unsafe strcpy call, relying solely on a DEBUGASSERT macro for boundary checking. This macro is disabled in production release builds -DNDEBUG, allowing memory corruption...

curl: CVE-2025-14524: bearer token leak on cross-protocol redirect

Summary: A vulnerability exists in libcurl regarding the handling of OAuth2 Bearer tokens CURLOPTXOAUTH2BEARER during HTTP redirects. While libcurl correctly clears standard authentication credentials CURLOPTUSERPWD when following a redirect to a different host, port, or protocol a security...

Stripo Inc: [Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.

An unauthorized cross-tenant data access vulnerability was discovered in the Stripo AI Hub Campaign. The vulnerability allowed access to data from a deleted project. The issue was resolved...

IBM: [RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182

Vulnerability description not provided...

Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...

Node.js: Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

A vulnerability was discovered in the Fetch API of Node.js that allowed an unbounded number of links in the decompression chain for HTTP responses. This could lead to resource exhaustion, as the default maxHeaderSize allowed a malicious server to insert thousands of compression steps, resulting i...

curl: Certificate Hostname Validation Bypass via Leading Dot in Hostname

Summary A hostname validation bypass in libcurl's wildcard certificate matching. The hostmatch function fails to handle hostnames starting with a dot, causing .example.com to match .example.com. When hostname starts with ., memchr returns position 0, so the entire hostname including the leading d...

curl: Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle

Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle c / Project | | | | | | / | | | | | | | | | || | , et al. This software is licensed as described in the file COPYING, which you should have received as part of this distribution. The terms are also available at...

PlayStation: PS4 BD-J privilege escalation using nested JAR

A PS4 vulnerability was discovered in the Blu-ray Disc Java BD-J privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path...

Enjin: Unauthenticated GraphQL access by prepending __schema to private operations

A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of t...

curl: SMTP Protocol Injection via CRLF in CURLOPT_MAIL_FROM leading to Email Spoofing

Voici le rapport complet et finalisé. J'ai intégré la version spécifique de curl que vous avez fournie et j'ai ajouté une section détaillée "Vulnerable Code Analysis" avec les extraits de code expliqués, comme demandé. J'ai retiré la section Impact conformément à votre consigne. Summary: A critic...

Node.js: CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown

Vulnerability description not provided...

Automattic: XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution

A cross-site scripting XSS vulnerability was discovered in the Pressable/Atomic Hosting Platform's admin notices feature. Unescaped text output in the atomic-platform.php file allowed arbitrary JavaScript code execution when an administrator updated or set the atomicsingleoptionlimiternotices...

Basecamp: Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses

A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts...

Revive Adserver: Broken Access Control allows advertiser accounts to delete trackers they do not own

Vulnerability description not provided...

Revive Adserver: INI Format string injection in Revive Adserver 6.0.4 settings

Vulnerability description not provided...

curl: Path Traversal in file:// protocol allows Arbitrary File Read

Summary: The file:// protocol handler in curl does not properly sanitise or block path traversal sequences ../. This allows a maliciously crafted file:// URL to escape the intended directory and access arbitrary files on the filesystem with the permissions of the user running curl. When curl is...

curl: Heap Buffer Overflow in TFTP

Summary: A heap buffer overflow vulnerability exists in the TFTP implementation of libcurl. The vulnerability is triggered when a malicious TFTP server sends an OACK Option acknowledgment packet with a blksize option that is larger than the default block size 512 bytes. libcurl updates its intern...

Nextcloud: Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

A vulnerability was discovered in the style sanitizer of Roundcube Webmail that allowed bypassing the sanitizer using CSS character escapes. This enabled the use of arbitrary inline CSS, such as the url function, which could be used to retrieve the IP address and user agent of the person reading...

curl: Infinite loop issue in the state machine of the curl project

Summary: Vulnerability impact: When curl attempts to download files from a malicious FTP server, it triggers an infinite loop in the code execution. I discovered this issue in the FTP functionality of the curl project .As described in...

curl: runs javascript on powershell when it shouldnt

On windows, if I run a curl on powershell for a script that should show alert1 it just executes the script when it shouldn't. I did not use AI to find or report this bug. Affected version on CMD I ran curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel zlib/1.3.1 WinIDN on powershell it...

U.S. Dept Of Defense: Cross-Site Scripting via URL on ████████

A Cross-Site Scripting XSS vulnerability was discovered on a specific system through the GET method. The vulnerability allowed the injection of malicious scripts that could be executed. The provided payload demonstrated the vulnerability. The system host and affected products and versions were no...

curl: Arbitrary free in curl's config file parsing.

Summary: arbitrary free leading to possible double-free / use-after-free / memory corruption, depending on the program and the ability of what a we can do after freeing the pointer we control. Statement clarifying if an AI was used to find the issue or generate the report: Yes I used AI to list...

curl: Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins

Summary -​‍​‌‍​‍‌​‍​‌‍​‍‌ Component: libcurl core HTTP handling HTTP/2 request translation and CONNECT detection - Type: out-of-bounds read resulting from missing null-termination - Impact: Behavior not defined by the specification, the program can crash DoS and CONNECT requests can be...

Revive Adserver: Username Validation Bypass

Cricetinae Executive Summary The security patch in commit d239a0845e4f64fbacd25fff2854426734d43aa2 is INSUFFICIENT. Testing confirms that 3 out of 4 exploit vectors still bypass validation. --- Vulnerability Details Affected Component: Username validation in user registration/creation File:...

curl: [SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append

Summary: A Time-of-check to Time-of-use TOCTOU race condition exists in the SFTP upload resume functionality of libcurl. When resuming an upload with CURLOPTRESUMEFROM set to -1 the equivalent of the curl -C - command-line flag, libcurl first performs a STAT operation to determine the remote file...

IBM: Path Traversal vulnerability identified on IBM endpoint.

A Path Traversal vulnerability was identified on an IBM endpoint. The vulnerability was reported to IBM, analyzed, and has been remediated...

curl: Double free in tool_ssls_load()

Summary: There is a double-free bugs in toolsslsload, which can happen at line 83-84 or 129-130 toolssls.c: c curlfreeshmac; curlfreesdata; The root cause is that line 83-84 did not reset shmac and sdata to NULL. If the seesion is malformed, the double-free will be triggerd. No AI was used to fin...

curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash

Summary: There is a double-free in libcurl with rustls. The root cause is reported and it is fixed in https://github.com/curl/curl/pull/19425, while I did not try to evaluate the actual triggering at that time. No AI was used to find the issue or generate the report. Affected version It was...

curl: Incorrect sizeof() in Rustls Backend Memory Allocation

Summary There's a bug in lib/vtls/rustls.c where malloc uses sizeofciphersuites instead of sizeofciphersuites. This allocates memory based on pointer size rather than element size. Steps To Reproduce 1. Look at lib/vtls/rustls.c line 530: c const struct rustlssupportedciphersuite ciphersuites =...

AWS VDP: Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution

Asset URL: https://github.com/aws/amazon-q-developer-cli/ Summary: Running Q chat from Amazon Q Developer CLI from an attacker-controlled repository/directory that contains a crafted .amazonq/mcp.json enables arbitrary command injection/execution. Amazon Q Developer CLI automatically loads and...

curl: Off-by-One Buffer Overflow in SMB Path Handler

Summary Found an off-by-one buffer overflow in lib/smb.c when handling SMB file paths. The bounds check uses instead of =, allowing a path of exactly 1023 bytes to overflow the 1024-byte buffer by one byte when the null terminator is added. Details File: lib/smb.c Function: smbsendopen Lines: 784...

curl: Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration

Summary: When a user runs curl -OJ , a malicious server can force the response to be saved as .curlrc in the working directory. If the user executes the download from their home directory a common workflow, the attacker overwrites /.curlrc. Subsequent curl invocations automatically load this...

AWS VDP: Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on ██████████

A vulnerability was found in the coupon code system of the ██████████ online store. The coupon code for free shipping could be used multiple times on any number of orders without any restrictions or tracking. This allowed users to bypass shipping charges indefinitely, resulting in a direct...

M&T Bank Vulnerability Disclosure: HTML Injection in Emails on login.mtb.com via givenName parameter leads to phishing attacks

A vulnerability was found that allowed HTML injection in emails on login.mtb.com via the givenName parameter. This vulnerability could have enabled phishing attacks...

Django: ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion

ASGIRequest header concatenation quadratic CPU DoS Reporter: Jiyong Yang / BAEKSEOK University Target: Django current main, affects all versions with ASGI support Type: Denial of Service CPU exhaustion Summary django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the...

Cosmos: Economic DoS (Griefing) on IBC Relayers via `memo` Callback Gas Exploitation

Summary of Impact This vulnerability allows an attacker to bypass the relayer's simulation defense and force permissionless relayers to execute computationally expensive, but 'successful', transactions via the memo callback feature. This creates an asymmetric economic attack where the relayer's...

Cloudflare Public Bug Bounty: AI Playground XSS to steal user-chat messages and access to connected MCP Server

A reflected XSS vulnerability was discovered in the AI Playground OAuth handler due to unescaped interpolation of the errordescription parameter into a script tag. The issue has been patched, and users of the open-source Agents SDK should upgrade to v0.3.10...

Django: User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery

A vulnerability was discovered in the checkpassword function in django/contrib/auth/handlers/modwsgi.py. When a non-existent username was provided, the function returned immediately without performing password verification, leading to a timing attack that allowed attackers to enumerate valid...

Cloudflare Public Bug Bounty: [Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth

A vulnerability in Cloudflare Access involving the Browser Isolation email field was discovered, which could allow for unauthorized approvals within the Temporary Auth workflow. The issue has been fully remediated...

LY Corporation: page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise

An open redirect vulnerability was identified in page.line.me because redirect destinations were not properly restricted to trusted domains. This vulnerability could have been abused within an OAuth 2.0 authorization flow to cause the authorization response to be sent to an attacker-controlled...