Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3697719 by xkilua
On libcurl 8.19.0, Proxy Digest state learned from proxyA survives an independent transfer boundary on a reused easy handle and is emitted preemptively to proxyB when the proxy is changed. In the attached C PoC, the first CONNECT to proxyB carries Proxy-Authorization: Digest ... built from proxyArealm / proxyAnonce instead of starting unauthenticated and waiting for a challenge from proxyB. The leaked header is replayable to proxyA for the same CONNECT authority and is accepted with 200, while replay to a different authority is rejected with 407. A fresh easy handle and curl_easy_reset() both suppress the leak. I also confirmed that changing proxy credentials before the second transfer still causes libcurl to build the first proxyB CONNECT from stale proxyA Digest challenge state, and that a proxyB which only advertises Basic still receives stale Digest on the first CONNECT.
Reproduced on Linux x86_64 with:
curl 8.19.0 (x86_64-pc-linux-gnu) libcurl/8.19.0 OpenSSL/3.5.5 zlib/1.3.1 brotli/1.2.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.68.1 ngtcp2/1.21.0 nghttp3/1.15.0 librtmp/2.3 mit-krb5/1.22.1 OpenLDAP/2.6.10
The attached C PoC also prints the runtime version string:
curl_version=libcurl/8.19.0 ...
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3669637 by joesephdiver
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3642555 by quaccws
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3671818 by arkss
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In