Description
## Summary:
curl is vulnerable to silent Man-in-the-Middle (MITM) attacks
due to its design, which implicitly trusts the CA certificate path specified in the CURL_CA_BUNDLE environment variable.
This mechanism allows the entire TLS trust model (chain of trust) of curl to be hijacked without any warning or notification to the user. This fundamentally violates the security promise of HTTPS connections, where users trust that curl will strictly verify server identities. By failing to warn when the system trust store is replaced, curl creates a false sense of security, allowing attackers to decrypt and manipulate HTTPS traffic.
I confirm that I performed the vulnerability discovery and core technical analysis manually. However, AI tools (such as Gemini/ChatGPT) were utilized solely for summarizing the findings, calculating the CVSS score, and drafting the formal report structure based on my raw technical data. AI was not used to generate the exploit code or perform the scan/discovery.
## Affected version
curl/libcurl version: 8.15.0
platform: x86_64-pc-linux-gnu
Release-Date: 2025-07-16, security patched: 8.15.0-1
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
## Steps To Reproduce:
Prepare two terminals.
In the first terminal
1. download tools mitmproxy ( sudo apt install mitmproxy )
2. After that, run the mitmproxy
3. and then click n
second terminal
1. Type the command in the terminal
export CURL_CA_BUNDLE=~/.mitmproxy/mitmproxy-ca-cert.pem
2. Run curl to make an HTTPS request through the mitmproxy proxy. Users are unaware that TLS trust has been compromised.
curl --proxy http://localhost:8080 https://example.com
Exploit Verification (`curl` Failure):
* In the second `curl` Terminal: The command executed successfully without any SSL/TLS errors. This is proof that curl has silently accepted a fake CA and incorrectly reported the connection as secure.
* In the first terminal `mitmproxy` window: You will see HTTPS traffic from example.com in plain text (plaintext). This proves that the MITM attack was successful, and the confidentiality and integrity of the connection have been completely compromised.
## Supporting Material/References:
1. CWE-295: Improper Certificate Validation
2. The root cause of this security issue lies in how `curl` handles trust store replacement.
file source: `src/tool_operate.c`
environment and use it to replace the system's default trust store. Its failure is that it does not treat this operation as a highly security-sensitive action that requires explicit warning to the user. It is this silent replacement that undermines the HTTPS security model.
## Impact
## Summary: The impact of this design vulnerability is Critical. It allows for complete interception and manipulation of HTTPS traffic through Man-in-the-Middle (MITM) attacks.
* Total Loss of Confidentiality and Integrity: Attackers can read and modify all data sent or received by curl over HTTPS connections, including:
* Login Credentials (Username, Password)
* API Keys and Authentication Tokens (Bearer Tokens)
* Session Cookies
* Personal and Financial Data
* Creation of a False Sense of Security: This is the most dangerous impact. Users see https:// and believe that their connection is secure and verified. However, curl has secretly violated this security promise. curl's failure to warn users about the trust store replacement turns it from a secure tool into an attack vector.
This is not a matter of users being tricked into running commands, but rather `curl` failing to fulfill its fundamental security responsibility of enforcing TLS connection integrity.
curl is vulnerable to silent Man-in-the-Middle (MITM) attacks
due to its design, which implicitly trusts the CA certificate path specified in the CURL_CA_BUNDLE environment variable.
This mechanism allows the entire TLS trust model (chain of trust) of curl to be hijacked without any warning or notification to the user. This fundamentally violates the security promise of HTTPS connections, where users trust that curl will strictly verify server identities. By failing to warn when the system trust store is replaced, curl creates a false sense of security, allowing attackers to decrypt and manipulate HTTPS traffic.
I confirm that I performed the vulnerability discovery and core technical analysis manually. However, AI tools (such as Gemini/ChatGPT) were utilized solely for summarizing the findings, calculating the CVSS score, and drafting the formal report structure based on my raw technical data. AI was not used to generate the exploit code or perform the scan/discovery.
## Affected version
curl/libcurl version: 8.15.0
platform: x86_64-pc-linux-gnu
Release-Date: 2025-07-16, security patched: 8.15.0-1
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
## Steps To Reproduce:
Prepare two terminals.
In the first terminal
1. download tools mitmproxy ( sudo apt install mitmproxy )
2. After that, run the mitmproxy
3. and then click n
second terminal
1. Type the command in the terminal
export CURL_CA_BUNDLE=~/.mitmproxy/mitmproxy-ca-cert.pem
2. Run curl to make an HTTPS request through the mitmproxy proxy. Users are unaware that TLS trust has been compromised.
curl --proxy http://localhost:8080 https://example.com
Exploit Verification (`curl` Failure):
* In the second `curl` Terminal: The command executed successfully without any SSL/TLS errors. This is proof that curl has silently accepted a fake CA and incorrectly reported the connection as secure.
* In the first terminal `mitmproxy` window: You will see HTTPS traffic from example.com in plain text (plaintext). This proves that the MITM attack was successful, and the confidentiality and integrity of the connection have been completely compromised.
## Supporting Material/References:
1. CWE-295: Improper Certificate Validation
2. The root cause of this security issue lies in how `curl` handles trust store replacement.
file source: `src/tool_operate.c`
environment and use it to replace the system's default trust store. Its failure is that it does not treat this operation as a highly security-sensitive action that requires explicit warning to the user. It is this silent replacement that undermines the HTTPS security model.
## Impact
## Summary: The impact of this design vulnerability is Critical. It allows for complete interception and manipulation of HTTPS traffic through Man-in-the-Middle (MITM) attacks.
* Total Loss of Confidentiality and Integrity: Attackers can read and modify all data sent or received by curl over HTTPS connections, including:
* Login Credentials (Username, Password)
* API Keys and Authentication Tokens (Bearer Tokens)
* Session Cookies
* Personal and Financial Data
* Creation of a False Sense of Security: This is the most dangerous impact. Users see https:// and believe that their connection is secure and verified. However, curl has secretly violated this security promise. curl's failure to warn users about the trust store replacement turns it from a secure tool into an attack vector.
This is not a matter of users being tricked into running commands, but rather `curl` failing to fulfill its fundamental security responsibility of enforcing TLS connection integrity.
Basic Information
ID
H1:3418776
Published
Nov 10, 2025 at 18:04
Modified
Nov 11, 2025 at 06:40