Description
## Summary
When libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `--verbose`) causes the library to print both the **string-to-sign** and the **final HMAC signature** into logs.
Because signatures remain valid for several minutes and are derived directly from AWS credentials, this behavior leaks sensitive material into log files or consoles. Any operator, log aggregation system, or low-privileged account with read access to those logs can **replay authenticated AWS API calls** or recover details of signed requests.
This is a **credential leakage vulnerability** in libcurlβs `http_aws_sigv4.c`.
---
## Affected Component
* File: `lib/http_aws_sigv4.c`
* Function: `aws_sigv4_add()`, which calls `infof()` with the string-to-sign and the computed signature.
* Affects: latest libcurl (tested on 8.x) with AWS SigV4 signing enabled.
---
## Steps to Reproduce
- 1. Setup
* Build libcurl with AWS SigV4 enabled (default since 7.75.0).
* Export valid AWS credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`).
* Enable verbose mode (`--verbose` or `CURLOPT_VERBOSE`).
- 2. Run a Signed Request
Run a simple signed AWS request, e.g. list S3 buckets:
```bash
AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY... \
AWS_SECRET_ACCESS_KEY=SECRET... \
curl --aws-sigv4 "aws:amz:us-east-1:s3" \
--verbose \
https://s3.amazonaws.com/
```
- 3. Observe Logs
In the console (or redirected logs), libcurl prints sensitive information:
```
* string-to-sign: AWS4-HMAC-SHA256 20250929T124500Z ...
* signature: 7a5d1c84e2c3d8f9...
```
- 4. Replay the Request
An attacker with access to these logs can immediately replay the request for several minutes:
```bash
curl -H "Authorization: AWS4-HMAC-SHA256 Credential=..., SignedHeaders=..., Signature=7a5d1c84e2c3d8f9..." \
https://s3.amazonaws.com/
```
The replay succeeds as long as the signature is within the validity window (typically 5 minutes).
---
## Impact
* **Confidentiality:** AWS API credentials/signatures are leaked into logs.
* **Integrity:** Attackers can **replay AWS API calls** (e.g., list buckets, upload/download objects).
* **Availability:** Replay could be abused to flood services with valid signed requests.
* **Realistic scenario:** Any team using `--verbose` for troubleshooting, or logging libcurl output to central log collectors, unintentionally leaks AWS secrets to less-trusted operators.
When libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `--verbose`) causes the library to print both the **string-to-sign** and the **final HMAC signature** into logs.
Because signatures remain valid for several minutes and are derived directly from AWS credentials, this behavior leaks sensitive material into log files or consoles. Any operator, log aggregation system, or low-privileged account with read access to those logs can **replay authenticated AWS API calls** or recover details of signed requests.
This is a **credential leakage vulnerability** in libcurlβs `http_aws_sigv4.c`.
---
## Affected Component
* File: `lib/http_aws_sigv4.c`
* Function: `aws_sigv4_add()`, which calls `infof()` with the string-to-sign and the computed signature.
* Affects: latest libcurl (tested on 8.x) with AWS SigV4 signing enabled.
---
## Steps to Reproduce
- 1. Setup
* Build libcurl with AWS SigV4 enabled (default since 7.75.0).
* Export valid AWS credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`).
* Enable verbose mode (`--verbose` or `CURLOPT_VERBOSE`).
- 2. Run a Signed Request
Run a simple signed AWS request, e.g. list S3 buckets:
```bash
AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY... \
AWS_SECRET_ACCESS_KEY=SECRET... \
curl --aws-sigv4 "aws:amz:us-east-1:s3" \
--verbose \
https://s3.amazonaws.com/
```
- 3. Observe Logs
In the console (or redirected logs), libcurl prints sensitive information:
```
* string-to-sign: AWS4-HMAC-SHA256 20250929T124500Z ...
* signature: 7a5d1c84e2c3d8f9...
```
- 4. Replay the Request
An attacker with access to these logs can immediately replay the request for several minutes:
```bash
curl -H "Authorization: AWS4-HMAC-SHA256 Credential=..., SignedHeaders=..., Signature=7a5d1c84e2c3d8f9..." \
https://s3.amazonaws.com/
```
The replay succeeds as long as the signature is within the validity window (typically 5 minutes).
---
## Impact
* **Confidentiality:** AWS API credentials/signatures are leaked into logs.
* **Integrity:** Attackers can **replay AWS API calls** (e.g., list buckets, upload/download objects).
* **Availability:** Replay could be abused to flood services with valid signed requests.
* **Realistic scenario:** Any team using `--verbose` for troubleshooting, or logging libcurl output to central log collectors, unintentionally leaks AWS secrets to less-trusted operators.
Basic Information
ID
H1:3361913
Published
Sep 29, 2025 at 16:45
Modified
Oct 1, 2025 at 07:00