15365 matches found
curl: HTTP/2 and HTTP/3 Header Injection in curl
================================================================================ VULNERABILITY REPORT: HTTP/2 and HTTP/3 Header Injection in curl ================================================================================ VULNERABILITY TYPE: Response Header Injection / HTTP Response Splittin...
curl: SMTP CRLF Injection & Protocol Desynchronization in libcurl
Executive Summary A critical security vulnerability has been identified in libcurl's SMTP protocol handler. The vulnerability allows for SMTP Command Smuggling and Protocol Desynchronization by injecting CRLF sequences into email address fields. This can be exploited to bypass security controls,...
curl: CVE-2025-15224: libssh key passphrase bypass without agent set
A vulnerability was discovered in the libcurl libssh backend where the CURLOPTSSHAUTHTYPES option did not properly implement the CURLSSHAUTHAGENT flag. As a result, if the CURLSSHAUTHPUBLICKEY option was set, the implementation would act as if CURLSSHAUTHAGENT was always defined, allowing...
Node.js: Permission Model Bypass in realpathSync.native Allows File Existence Disclosure
Vulnerability description not provided...
curl: Proxy-Authorization header is leaked to origin server after redirect from proxied to direct connection
Summary curl leaks the Proxy-Authorization header to the origin server after following an HTTP redirect that transitions from a proxied connection to a direct connection e.g. when using --noproxy or when proxy is bypassed after redirect. This causes proxy credentials which are hop-by-hop to be se...
curl: Telnet Suboption Buffer Pointer Underflow in lib/telnet.c leads to Out-of-Bounds Read
Summary A buffer pointer underflow vulnerability exists in curl's telnet protocol handler lib/telnet.c. When processing telnet suboptions in the CURLTSSE state, the code unconditionally decrements the suboption buffer pointer by 2 subpointer -= 2, even when the CURLSBACCUM macro skips writing due...
curl: Cross‑Layer State Confusion in libcurl: Credential & Key‑Material Persistence Across Redirect / Connection Reuse Boundaries
Summary: This report describes a state‑level security invariant violation in libcurl where credential‑ or key‑related state may persist or be re‑applied across logical trust boundaries redirects, connection reuse, or scheme transitions without a formal invariant enforcing reset semantics. The iss...
curl: Heap Buffer Over-read in lib/http2.c (on_header) handling PUSH_PROMISE frames
Summary: I have discovered a Heap Buffer Over-read vulnerability in lib/http2.c within the onheader callback function. When processing HTTP/2 PUSHPROMISE frames, the code incorrectly uses the %s format specifier on raw pointers provided by nghttp2. According to nghttp2 documentation, the name and...
curl: WebSocket Logic Error: Control Frame (PING/PONG) Starvation causes Connection Drop (DoS) during large transfers
Summary: I have discovered a logic flaw in lib/ws.c regarding the handling of WebSocket Control Frames PING/PONG. According to RFC 6455, Control Frames should be processed as soon as possible, even in the middle of fragmented data frames, to maintain connection state Keep-Alive. However, libcurl...
curl: CRLF Injection / Protocol Smuggling in libcurl via CURLOPT_USERNAME (IMAP)
Summary: I have discovered a CRLF injection vulnerability in the IMAP protocol implementation of libcurl. The vulnerability exists because the imapatom function in lib/imap.c fails to properly sanitize or quote Carriage Return \r and Line Feed \n characters when processing the CURLOPTUSERNAME...
Nextcloud: Unauthenticated SSRF via Public Reference API -Sharing Token Bypass
Vulnerability description not provided...
curl: HTTP/3 Protocol Smuggling and Header Injection via CRLF in QPACK value conversion
A fundamental design flaw exists in how libcurl handles HTTP/3 QUIC response headers across all supported backends ngtcp2, quiche, openssl-quic. The vulnerability stems from the unsafe transcoding of binary QPACK headers HTTP/3 into the textual HTTP/1.1 format used internally by curl's pipeline...
curl: Security hardening: missing integer overflow check in curl_load_library()
Summary A missing integer overflow check was identified in lib/systemwin32.c::curlloadlibrary when calculating the buffer size for a DLL path. On 32-bit Windows builds, the unchecked size calculation can wrap around, resulting in an undersized heap allocation followed by unbounded string copies v...
curl: CVE-2025-15079: libssh global knownhost override
A vulnerability was discovered in libssh where the SSHOPTIONSGLOBALKNOWNHOSTS option was used to specify a global knownhosts file. If the host was not found in the file specified by SSHOPTIONSKNOWNHOSTS, the global file was checked, potentially allowing any host identities specified in the defaul...
curl: Protocol Smuggling / CRLF Injection via Gopher Protocol allows Arbitrary Command Injection
Summary: I have discovered that the Gopher protocol implementation in curl fails to properly sanitize newline characters %0d%0 in the selector path. This allows an attacker to inject arbitrary TCP commands when curl connects to a target server via gopher://. This vulnerability enables Protocol...
curl: Integer Overflow in `curl_easy_escape()` may lead to heap buffer overflow and stack memory disclosure on 32-bit platforms
Disclaimer Both the confirmation, and reporting of this vulnerability used AI assistance. Nonetheless, I manually reviewed all of the reported results, including its reproduction steps and source code. Summary The curleasyescape function in lib/escape.c contains an integer overflow vulnerability...
LinkedIn: Session Cookie Leakage via Static Header Field in WebViewerFragment
A vulnerability was identified in the "WebViewerFragment" that could lead to the leakage of the user's cookies. The root cause was a static field "CUSTOMHEADERS" that persisted cookies across different URL loads, allowing an attacker to steal the victim's session cookies. The vulnerability was...
curl: HAProxy Connection Reuse leads to IP Spoofing and mTLS Context Smuggling
Executive Summary libcurl fails to respect the CURLOPTHAPROXYCLIENTIP configuration when reusing existing connections. Due to a missing check in the connection pooling logic, libcurl indiscriminately reuses a TCP/TLS connection established with a specific identity IP A for subsequent requests...
curl: Public-suffix cookie injection when libpsl is disabled
Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...
curl: libcurl WebSocket handshake accepts any Sec-WebSocket-Accept
Summary: libcurl upgrades to WebSocket without validating Sec-WebSocket-Accept, allowing a spoofed 101 response to complete the handshake and inject frames; AI assistance was used to draft this report. Steps to Reproduce: 1. Clone and build curl from source: git clone --depth=1...
Node.js: TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak
A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate...
Revive Adserver: [revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter
Vulnerability description not provided...
curl: Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes
Summary A recent migration of the Digest authentication parsing logic to the curlxstr strparse API introduced two functional parsing regressions in lib/vauth/digest.c. 1. Optional Whitespace OWS Handling The current implementation fails to skip optional whitespace after comma delimiters in...
curl: A logic error in detect_proxy caused truncation of environment variable names for long protocol schemes.
In lib/url.c, the detectproxy function uses a fixed-size buffer, proxyenv20, to construct proxy environment variable names e.g., httpproxy. However, the curl URL parser lib/urlapi.c allows protocol schemes up to 40 characters MAXSCHEMELEN. When a protocol scheme longer than 12 characters is used,...
curl: Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd)
During a review of curl's handling of response decompression, it was noticed that no limit exists on the final uncompressed data volume from compressed HTTP replies. Instead of setting constraints, the current design allows indefinite expansion during processing. This absence of limits could lead...
Revive Adserver: Reflected XSS in banner-acl.php and channel-acl.php via executionorder
Vulnerability description not provided...
curl: File URL UNC Path Access (Windows SSRF)
Vulnerability Details - CVSSv3: 7.5 High - Windows only - File: lib/urlapi.c:974-1030 - Issue: Windows file:// URLs accept UNC paths to remote servers - Impact: SSRF, unauthorized network file access, credential theft Vulnerable Code c // lib/urlapi.c:974-1030 ifptr0 != '/' &&...
curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response
================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...
curl: Heap Buffer Over-Read via Malicious SMB Server READ_ANDX Response
================================================================================ DESCRIPTION: ================================================================================ Summary: I discovered a heap buffer over-read vulnerability in libcurl's SMB protocol implementation. A malicious SMB serv...
curl: Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS
Summary: A heap-based buffer overflow exists in the AmigaOS-specific DNS resolution function Curlipv4resolver located in lib/amigaos.c. The function uses gethostbynamer with a fixed-size heap buffer CURLHOSTENTSIZE and performs incorrect pointer arithmetic when calculating the data buffer offset...
Revive Adserver: Reflected XSS in afr.php
Vulnerability description not provided...
curl: Certificate Pinning Bypass with wolfSSL backend over HTTP/3
Summary: A security feature bypass exists in libcurl when built with the wolfSSL backend and HTTP/3 support. The Certificate Pinning feature --pinnedpubkey is silently ignored if the user also disables peer verification -k or --insecure . This behavior is inconsistent with other backends like...
Basecamp: Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure
A vulnerability was discovered where unauthenticated users could access private files and file previews on the application through Active Storage URLs. This vulnerability allowed information disclosure, as the files and previews could be accessed without any authentication or authorization checks...
curl: Heap Overflow in cURL AmigaOS Socket Implementation
Buffer Overflow in cURL AmigaOS Socket Implementation Report Metadata - Report ID: H1-CURL-AMIGAOS-001 - Report Title: Heap Buffer Overflow in Curlipv4resolver in AmigaOS Socket Backend - Component: /home/el-ha9/curl/lib/amigaos.c - Curlipv4resolver function - Affected Versions: All cURL versions...
curl: Curl Alt-Svc Parser Stack Buffer Overflow
cURL Alt-Svc Parser Stack Buffer Overflow Vulnerability Analysis In Simple Terms A critical security flaw was discovered in cURL versions 7.64.0-7.89.0 that allows attackers to run malicious code on your system by exploiting how cURL processes certain HTTP responses. When cURL receives a speciall...
Node.js: Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)
A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket UDS connections to bypass network restrictions when --permission was enabled. Even without --allow-net, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking t...
curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization
Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...
Nintendo: ASLR leak in Mario Kart World through LAN mode
A vulnerability was discovered in the LAN mode of Mario Kart World that allowed an ASLR leak. This vulnerability was found in the game's software...
Node.js: Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling
Summary: In Node.js' crypto module, the createDecipheriv states that "the authTagLength option defaults to 16 bytes and must be set to a different value if a different length is used." here The authentication tag's length is however not validated against that default value and can be truncated do...
curl: testing hackerone functions
hi team i am testing hackerone functions i need some help of you this is my test account can you blacklist me from your program not ban just blacklist Impact thanks...
curl: Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization
Summary A Denial of Service DoS vulnerability exists in the dedotdotify function in lib/urlapi.c that can cause excessive CPU consumption due to On² time complexity when processing URLs with malicious path patterns containing many ../ sequences. Affected Component - Component: libcurl URL API -...
IBM: Remote Code Execution identified on IBM endpoint.
A remote code execution vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated...
Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution
Vulnerability description not provided...
curl: Buffer Overflow in cURL Internal printf Function
A critical buffer overflow vulnerability exists in the curlmsprintf function in cURL's internal printf implementation. The function writes formatted output to a user-provided buffer without performing any bounds checking, allowing attackers to overflow arbitrary memory and potentially achieve...
curl: Terminal Output Not Great
Summary: No AI here, I just came across this: python import random import string from http.server import BaseHTTPRequestHandler, HTTPServer class MaliciousHandlerBaseHTTPRequestHandler: def doGETself: self.sendresponse200 self.sendheader'Content-Type', 'text/plain' randid =...
curl: Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c)
Summary: A stack-based buffer overflow exists in the wsslstrerror function of cURL's wolfSSL TLS backend. The function uses an unsafe strcpy call, relying solely on a DEBUGASSERT macro for boundary checking. This macro is disabled in production release builds -DNDEBUG, allowing memory corruption...
curl: CVE-2025-14524: bearer token leak on cross-protocol redirect
Summary: A vulnerability exists in libcurl regarding the handling of OAuth2 Bearer tokens CURLOPTXOAUTH2BEARER during HTTP redirects. While libcurl correctly clears standard authentication credentials CURLOPTUSERPWD when following a redirect to a different host, port, or protocol a security...
Stripo Inc: [Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.
An unauthorized cross-tenant data access vulnerability was discovered in the Stripo AI Hub Campaign. The vulnerability allowed access to data from a deleted project. The issue was resolved...
IBM: [RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182
Vulnerability description not provided...
Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers
A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...