Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3584903 by nobcoder
Summary
libcurl may reuse an existing HTTP proxy CONNECT tunnel without matching proxy credentials when selecting a reusable connection. In lib/url.c, url_match_proxy_use() calls proxy_info_matches() (lib/url.c:930-935 → lib/url.c:589-595), and that matcher compares proxy type, host, and port but does not compare proxy username or password. When a shared connection cache is used (CURLSH + CURL_LOCK_DATA_CONNECT), a transfer using different proxy credentials can reuse a previously authenticated tunnel. In my reproduction the proxy receives only one CONNECT request with good:good, while a second transfer configured with bad:bad succeeds through the existing tunnel without issuing a new CONNECT. This was reproduced both with sequential libcurl transfers and with a wrapper/daemon model where multiple clients submit jobs to a process holding the shared connection cache. Control tests show the issue does not occur when connections are not shared (noshare) or when the destination host differs.
Affected version
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3518571 by alexb_616
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3601655 by smlee
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3168691 by joejoe5
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In