Description
## Summary:
There is a double-free bug(s) in tool_ssls_load(), which can happen at line 83-84 or 129-130 (tool_ssls.c):
```c
curl_free(shmac);
curl_free(sdata);
```
The root cause is that line 83-84 did not reset `shmac` and `sdata` to NULL.
If the seesion is malformed, the double-free will be triggerd.
No AI was used to find the issue or generate the report.
## Affected version
It was introduced in commit https://github.com/curl/curl/commit/515a21f350b89f0676e5df7f904c62c8f67be377 on Jan 9, 2025.
So, it can affect v8.12.0~v8.17.0. It only affects `curl tool`.
## Steps To Reproduce:
1. Build curl-8_17_0 from source. (my configure is: "./configure --enable-debug --with-openssl --enable-static --disable-shared --enable-ssls-export").`--enable-ssls-export` is key to enable the vunerable code.
2. Create a malformed session file (Please refer to the attached one). The logic is to make the code continue before reset `shmac` and `sdata` via curlx_base64_decode(). My choice is directly leverage the content check at https://github.com/curl/curl/blob/master/src/tool_ssls.c#L81-L91.
3. Run the `curl` tool: `./src/curl --ssl-sessions .curl_ssl_sessions https://example.com`. That's it.
Note:
To be honest, I am very happy but also a bit "disappointed" when my tool found it, because the feature `SSLS-EXPORT` is marked as EXPERIMENTAL again.
I understand that the project should provide appropriate reminders to users due to the possible unstable functionalities of new features. But as a contributor,I sincerely hope that maintainers can evaluate based on the facts of code and actual scope, rather than policy labels. By doing so, I believe that the contributors will be more motivated to extensively test new features to help curl grow better.
Anyway, I responsibly reported it and its PoC here, as well as submit the the corresponding patch via PR (https://github.com/curl/curl/pull/19588) with no sensitive word mentioned.
## Supporting Material/References:
The malformed PoC session file (`.curl_ssl_sessions`).
* [attachment / reference] `.curl_ssl_sessions`
## Impact
## Summary:
Attackers can trigger double-free vulnerability via specially crafted SSL session files, causing DoS or other potential dangerous behaviors.
Attack Prerequisites:
- Requires SSLS-EXPORT feature enabled
- Attacker can influence SSL session file content, or can influence session data generation process
There is a double-free bug(s) in tool_ssls_load(), which can happen at line 83-84 or 129-130 (tool_ssls.c):
```c
curl_free(shmac);
curl_free(sdata);
```
The root cause is that line 83-84 did not reset `shmac` and `sdata` to NULL.
If the seesion is malformed, the double-free will be triggerd.
No AI was used to find the issue or generate the report.
## Affected version
It was introduced in commit https://github.com/curl/curl/commit/515a21f350b89f0676e5df7f904c62c8f67be377 on Jan 9, 2025.
So, it can affect v8.12.0~v8.17.0. It only affects `curl tool`.
## Steps To Reproduce:
1. Build curl-8_17_0 from source. (my configure is: "./configure --enable-debug --with-openssl --enable-static --disable-shared --enable-ssls-export").`--enable-ssls-export` is key to enable the vunerable code.
2. Create a malformed session file (Please refer to the attached one). The logic is to make the code continue before reset `shmac` and `sdata` via curlx_base64_decode(). My choice is directly leverage the content check at https://github.com/curl/curl/blob/master/src/tool_ssls.c#L81-L91.
3. Run the `curl` tool: `./src/curl --ssl-sessions .curl_ssl_sessions https://example.com`. That's it.
Note:
To be honest, I am very happy but also a bit "disappointed" when my tool found it, because the feature `SSLS-EXPORT` is marked as EXPERIMENTAL again.
I understand that the project should provide appropriate reminders to users due to the possible unstable functionalities of new features. But as a contributor,I sincerely hope that maintainers can evaluate based on the facts of code and actual scope, rather than policy labels. By doing so, I believe that the contributors will be more motivated to extensively test new features to help curl grow better.
Anyway, I responsibly reported it and its PoC here, as well as submit the the corresponding patch via PR (https://github.com/curl/curl/pull/19588) with no sensitive word mentioned.
## Supporting Material/References:
The malformed PoC session file (`.curl_ssl_sessions`).
* [attachment / reference] `.curl_ssl_sessions`
## Impact
## Summary:
Attackers can trigger double-free vulnerability via specially crafted SSL session files, causing DoS or other potential dangerous behaviors.
Attack Prerequisites:
- Requires SSLS-EXPORT feature enabled
- Attacker can influence SSL session file content, or can influence session data generation process
Basic Information
ID
H1:3431180
Published
Nov 18, 2025 at 11:19
Modified
Nov 18, 2025 at 23:32