Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2025/12/29 11:21 p.m.29 views

curl: HTTP/2 and HTTP/3 Header Injection in curl

================================================================================ VULNERABILITY REPORT: HTTP/2 and HTTP/3 Header Injection in curl ================================================================================ VULNERABILITY TYPE: Response Header Injection / HTTP Response Splittin...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/12/29 5:23 p.m.20 views

curl: SMTP CRLF Injection & Protocol Desynchronization in libcurl

Executive Summary A critical security vulnerability has been identified in libcurl's SMTP protocol handler. The vulnerability allows for SMTP Command Smuggling and Protocol Desynchronization by injecting CRLF sequences into email address fields. This can be exploited to bypass security controls,...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/28 9:22 p.m.13 views

curl: CVE-2025-15224: libssh key passphrase bypass without agent set

A vulnerability was discovered in the libcurl libssh backend where the CURLOPTSSHAUTHTYPES option did not properly implement the CURLSSHAUTHAGENT flag. As a result, if the CURLSSHAUTHPUBLICKEY option was set, the implementation would act as if CURLSSHAUTHAGENT was always defined, allowing...

3.1CVSS7.1AI score0.00413EPSS
Exploits1
Hacker One
Hacker One
added 2025/12/28 7:39 p.m.10 views

Node.js: Permission Model Bypass in realpathSync.native Allows File Existence Disclosure

Vulnerability description not provided...

3.3CVSS6.2AI score0.00158EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/28 4:18 p.m.15 views

curl: Proxy-Authorization header is leaked to origin server after redirect from proxied to direct connection

Summary curl leaks the Proxy-Authorization header to the origin server after following an HTTP redirect that transitions from a proxied connection to a direct connection e.g. when using --noproxy or when proxy is bypassed after redirect. This causes proxy credentials which are hop-by-hop to be se...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/28 4:15 p.m.15 views

curl: Telnet Suboption Buffer Pointer Underflow in lib/telnet.c leads to Out-of-Bounds Read

Summary A buffer pointer underflow vulnerability exists in curl's telnet protocol handler lib/telnet.c. When processing telnet suboptions in the CURLTSSE state, the code unconditionally decrements the suboption buffer pointer by 2 subpointer -= 2, even when the CURLSBACCUM macro skips writing due...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/12/28 2:45 p.m.17 views

curl: Cross‑Layer State Confusion in libcurl: Credential & Key‑Material Persistence Across Redirect / Connection Reuse Boundaries

Summary: This report describes a state‑level security invariant violation in libcurl where credential‑ or key‑related state may persist or be re‑applied across logical trust boundaries redirects, connection reuse, or scheme transitions without a formal invariant enforcing reset semantics. The iss...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/27 7:17 p.m.11 views

curl: Heap Buffer Over-read in lib/http2.c (on_header) handling PUSH_PROMISE frames

Summary: I have discovered a Heap Buffer Over-read vulnerability in lib/http2.c within the onheader callback function. When processing HTTP/2 PUSHPROMISE frames, the code incorrectly uses the %s format specifier on raw pointers provided by nghttp2. According to nghttp2 documentation, the name and...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/27 6:12 p.m.18 views

curl: WebSocket Logic Error: Control Frame (PING/PONG) Starvation causes Connection Drop (DoS) during large transfers

Summary: I have discovered a logic flaw in lib/ws.c regarding the handling of WebSocket Control Frames PING/PONG. According to RFC 6455, Control Frames should be processed as soon as possible, even in the middle of fragmented data frames, to maintain connection state Keep-Alive. However, libcurl...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2025/12/27 4:35 p.m.139 views

curl: CRLF Injection / Protocol Smuggling in libcurl via CURLOPT_USERNAME (IMAP)

Summary: I have discovered a CRLF injection vulnerability in the IMAP protocol implementation of libcurl. The vulnerability exists because the imapatom function in lib/imap.c fails to properly sanitize or quote Carriage Return \r and Line Feed \n characters when processing the CURLOPTUSERNAME...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2025/12/27 8:56 a.m.10 views

Nextcloud: Unauthenticated SSRF via Public Reference API -Sharing Token Bypass

Vulnerability description not provided...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/26 5:4 p.m.21 views

curl: HTTP/3 Protocol Smuggling and Header Injection via CRLF in QPACK value conversion

A fundamental design flaw exists in how libcurl handles HTTP/3 QUIC response headers across all supported backends ngtcp2, quiche, openssl-quic. The vulnerability stems from the unsafe transcoding of binary QPACK headers HTTP/3 into the textual HTTP/1.1 format used internally by curl's pipeline...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2025/12/26 1:31 p.m.12 views

curl: Security hardening: missing integer overflow check in curl_load_library()

Summary A missing integer overflow check was identified in lib/systemwin32.c::curlloadlibrary when calculating the buffer size for a DLL path. On 32-bit Windows builds, the unchecked size calculation can wrap around, resulting in an undersized heap allocation followed by unbounded string copies v...

8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/24 4:45 a.m.12 views

curl: CVE-2025-15079: libssh global knownhost override

A vulnerability was discovered in libssh where the SSHOPTIONSGLOBALKNOWNHOSTS option was used to specify a global knownhosts file. If the host was not found in the file specified by SSHOPTIONSKNOWNHOSTS, the global file was checked, potentially allowing any host identities specified in the defaul...

5.3CVSS6.7AI score0.00457EPSS
Exploits1
Hacker One
Hacker One
added 2025/12/24 12:25 a.m.17 views

curl: Protocol Smuggling / CRLF Injection via Gopher Protocol allows Arbitrary Command Injection

Summary: I have discovered that the Gopher protocol implementation in curl fails to properly sanitize newline characters %0d%0 in the selector path. This allows an attacker to inject arbitrary TCP commands when curl connects to a target server via gopher://. This vulnerability enables Protocol...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/23 9:48 p.m.15 views

curl: Integer Overflow in `curl_easy_escape()` may lead to heap buffer overflow and stack memory disclosure on 32-bit platforms

Disclaimer Both the confirmation, and reporting of this vulnerability used AI assistance. Nonetheless, I manually reviewed all of the reported results, including its reproduction steps and source code. Summary The curleasyescape function in lib/escape.c contains an integer overflow vulnerability...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/22 7:32 p.m.8 views

LinkedIn: Session Cookie Leakage via Static Header Field in WebViewerFragment

A vulnerability was identified in the "WebViewerFragment" that could lead to the leakage of the user's cookies. The root cause was a static field "CUSTOMHEADERS" that persisted cookies across different URL loads, allowing an attacker to steal the victim's session cookies. The vulnerability was...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/22 7:14 p.m.20 views

curl: HAProxy Connection Reuse leads to IP Spoofing and mTLS Context Smuggling

Executive Summary libcurl fails to respect the CURLOPTHAPROXYCLIENTIP configuration when reusing existing connections. Due to a missing check in the connection pooling logic, libcurl indiscriminately reuses a TCP/TLS connection established with a specific identity IP A for subsequent requests...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/22 4:34 p.m.15 views

curl: Public-suffix cookie injection when libpsl is disabled

Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2025/12/22 5:49 a.m.17 views

curl: libcurl WebSocket handshake accepts any Sec-WebSocket-Accept

Summary: libcurl upgrades to WebSocket without validating Sec-WebSocket-Accept, allowing a spoofed 101 response to complete the handshake and inject frames; AI assistance was used to draft this report. Steps to Reproduce: 1. Clone and build curl from source: git clone --depth=1...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2025/12/21 1:14 a.m.12 views

Node.js: TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak

A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate...

7.5CVSS5.6AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/20 7:8 p.m.12 views

Revive Adserver: [revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter

Vulnerability description not provided...

6.1CVSS6.8AI score0.00163EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/20 11:55 a.m.16 views

curl: Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes

Summary A recent migration of the Digest authentication parsing logic to the curlxstr strparse API introduced two functional parsing regressions in lib/vauth/digest.c. 1. Optional Whitespace OWS Handling The current implementation fails to skip optional whitespace after comma delimiters in...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2025/12/20 6:19 a.m.16 views

curl: A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes.

In lib/url.c, the detectproxy function uses a fixed-size buffer, proxyenv20, to construct proxy environment variable names e.g., httpproxy. However, the curl URL parser lib/urlapi.c allows protocol schemes up to 40 characters MAXSCHEMELEN. When a protocol scheme longer than 12 characters is used,...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/12/19 7:22 a.m.19 views

curl: Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd)

During a review of curl's handling of response decompression, it was noticed that no limit exists on the final uncompressed data volume from compressed HTTP replies. Instead of setting constraints, the current design allows indefinite expansion during processing. This absence of limits could lead...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2025/12/18 6:43 p.m.14 views

Revive Adserver: Reflected XSS in banner-acl.php and channel-acl.php via executionorder

Vulnerability description not provided...

6.1CVSS6.8AI score0.00163EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/18 5:23 p.m.26 views

curl: File URL UNC Path Access (Windows SSRF)

Vulnerability Details - CVSSv3: 7.5 High - Windows only - File: lib/urlapi.c:974-1030 - Issue: Windows file:// URLs accept UNC paths to remote servers - Impact: SSRF, unauthorized network file access, credential theft Vulnerable Code c // lib/urlapi.c:974-1030 ifptr0 != '/' &&...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/12/18 11:38 a.m.16 views

curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response

================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/12/18 11:13 a.m.13 views

curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response

================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/12/17 5:44 a.m.18 views

curl: Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS

Summary: A heap-based buffer overflow exists in the AmigaOS-specific DNS resolution function Curlipv4resolver located in lib/amigaos.c. The function uses gethostbynamer with a fixed-size heap buffer CURLHOSTENTSIZE and performs incorrect pointer arithmetic when calculating the data buffer offset...

8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/16 10:10 p.m.13 views

Revive Adserver: Reflected XSS in afr.php

Vulnerability description not provided...

6.1CVSS6.8AI score0.00163EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/16 8:31 p.m.18 views

curl: Certificate Pinning Bypass with wolfSSL backend over HTTP/3

Summary: A security feature bypass exists in libcurl when built with the wolfSSL backend and HTTP/3 support. The Certificate Pinning feature --pinnedpubkey is silently ignored if the user also disables peer verification -k or --insecure . This behavior is inconsistent with other backends like...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/12/16 3:19 p.m.8 views

Basecamp: Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

A vulnerability was discovered where unauthenticated users could access private files and file previews on the application through Active Storage URLs. This vulnerability allowed information disclosure, as the files and previews could be accessed without any authentication or authorization checks...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/16 5:15 a.m.18 views

curl: Heap Overflow in cURL AmigaOS Socket Implementation

Buffer Overflow in cURL AmigaOS Socket Implementation Report Metadata - Report ID: H1-CURL-AMIGAOS-001 - Report Title: Heap Buffer Overflow in Curlipv4resolver in AmigaOS Socket Backend - Component: /home/el-ha9/curl/lib/amigaos.c - Curlipv4resolver function - Affected Versions: All cURL versions...

9.3AI score
Exploits0
Hacker One
Hacker One
added 2025/12/16 4:46 a.m.15 views

curl: Curl Alt-Svc Parser Stack Buffer Overflow

cURL Alt-Svc Parser Stack Buffer Overflow Vulnerability Analysis In Simple Terms A critical security flaw was discovered in cURL versions 7.64.0-7.89.0 that allows attackers to run malicious code on your system by exploiting how cURL processes certain HTTP responses. When cURL receives a speciall...

9AI score
Exploits0
Hacker One
Hacker One
added 2025/12/15 9:31 a.m.17 views

Node.js: Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)

A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket UDS connections to bypass network restrictions when --permission was enabled. Even without --allow-net, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking t...

10CVSS5.7AI score0.00663EPSS
Exploits1
Hacker One
Hacker One
added 2025/12/15 7:45 a.m.46 views

curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization

Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2025/12/13 5:7 p.m.11 views

Nintendo: ASLR leak in Mario Kart World through LAN mode

A vulnerability was discovered in the LAN mode of Mario Kart World that allowed an ASLR leak. This vulnerability was found in the game's software...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/13 4:49 p.m.16 views

Node.js: Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling

Summary: In Node.js' crypto module, the createDecipheriv states that "the authTagLength option defaults to 16 bytes and must be set to a different value if a different length is used." here The authentication tag's length is however not validated against that default value and can be truncated do...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2025/12/13 8:12 a.m.20 views

curl: testing hackerone functions

hi team i am testing hackerone functions i need some help of you this is my test account can you blacklist me from your program not ban just blacklist Impact thanks...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/12/13 7:58 a.m.35 views

curl: Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization

Summary A Denial of Service DoS vulnerability exists in the dedotdotify function in lib/urlapi.c that can cause excessive CPU consumption due to On² time complexity when processing URLs with malicious path patterns containing many ../ sequences. Affected Component - Component: libcurl URL API -...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2025/12/12 3:34 p.m.18 views

IBM: Remote Code Execution identified on IBM endpoint.

A remote code execution vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated...

10CVSS8AI score0.99562EPSS
Exploits372
Hacker One
Hacker One
added 2025/12/12 2:53 p.m.12 views

Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution

Vulnerability description not provided...

8.2CVSS5.8AI score0.00318EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/12 4:24 a.m.20 views

curl: Buffer Overflow in cURL Internal printf Function

A critical buffer overflow vulnerability exists in the curlmsprintf function in cURL's internal printf implementation. The function writes formatted output to a user-provided buffer without performing any bounds checking, allowing attackers to overflow arbitrary memory and potentially achieve...

8.2AI score
Exploits0
Hacker One
Hacker One
added 2025/12/10 2:16 a.m.19 views

curl: Terminal Output Not Great

Summary: No AI here, I just came across this: python import random import string from http.server import BaseHTTPRequestHandler, HTTPServer class MaliciousHandlerBaseHTTPRequestHandler: def doGETself: self.sendresponse200 self.sendheader'Content-Type', 'text/plain' randid =...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/12/09 6:59 p.m.27 views

curl: Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c)

Summary: A stack-based buffer overflow exists in the wsslstrerror function of cURL's wolfSSL TLS backend. The function uses an unsafe strcpy call, relying solely on a DEBUGASSERT macro for boundary checking. This macro is disabled in production release builds -DNDEBUG, allowing memory corruption...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/12/09 6:1 p.m.10 views

curl: CVE-2025-14524: bearer token leak on cross-protocol redirect

Summary: A vulnerability exists in libcurl regarding the handling of OAuth2 Bearer tokens CURLOPTXOAUTH2BEARER during HTTP redirects. While libcurl correctly clears standard authentication credentials CURLOPTUSERPWD when following a redirect to a different host, port, or protocol a security...

5.7CVSS7.6AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2025/12/09 3:45 p.m.11 views

Stripo Inc: [Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.

An unauthorized cross-tenant data access vulnerability was discovered in the Stripo AI Hub Campaign. The vulnerability allowed access to data from a deleted project. The issue was resolved...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/12/09 9:43 a.m.21 views

IBM: [RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182

Vulnerability description not provided...

10CVSS7.6AI score0.99562EPSS
Exploits372
Hacker One
Hacker One
added 2025/12/08 6:22 a.m.10 views

Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...

7.5CVSS5.5AI score0.00624EPSS
Exploits0
Total number of security vulnerabilities15365