Description
Summary
A recent migration of the Digest authentication parsing logic to the curlx_str (strparse) API introduced two functional parsing regressions in lib/vauth/digest.c.
1. Optional Whitespace (OWS) Handling
The current implementation fails to skip optional whitespace after comma delimiters in WWW-Authenticate headers.
For example, in a challenge such as:
WWW-Authenticate: Digest realm="test", nonce="abc"
the parser incorrectly includes the leading space in the subsequent attribute name (e.g., " nonce"), causing key lookups to fail.
2. Escaped Quote Handling
The curlx_str_quotedword() helper used to parse quoted attribute values does not correctly handle escaped characters (e.g., \").
As a result, attribute values such as realm="My \"Cool\" Realm" are truncated or fail to parse entirely. This behavior differs from the previous manual parsing implementation, which handled escaped quotes correctly.
An AI assistant was used only for code navigation and understanding control flow. The issue was identified and verified manually.
Affected Version
• curl: 8.18.0-DEV (latest master branch)
• Platform: All (platform independent)
Steps To Reproduce
1. Set up a server or local listener that returns the following Digest challenge (note the space after the comma):
WWW-Authenticate: Digest realm="test", nonce="xyz"
2. Run : curl --digest -u user:pass http://localhost:8080/
3. Observe that curl fails to correctly parse the nonce and other parameters, resulting in an authentication failure (401 loop or error).
4. Repeat with an escaped quote inside an attribute value:
WWW-Authenticate: Digest realm="My \"Cool\" Realm", nonce="xyz"
5. Observe that curl truncates the realm value or fails to parse the challenge entirely.
6. Supporting Material / References
PoC Output (Python implementation):
- Testing challenge 1: nonce="abc",realm="def"
Found realm: def
- Testing challenge 2 (with space after comma): nonce="abc", realm="def"
FAILED to find realm (BUG CONFIRMED: whitespace issue)
- Testing challenge 3 (with escaped quote): nonce="foo\"bar",realm="def"
FAILED to find realm (BUG CONFIRMED: escape issue)
Relevant Code (lib/vauth/digest.c)
static bool auth_digest_get_key_value(const char *chlg, const char *key,
char *buf, size_t buflen)
{
do {
struct Curl_str data;
struct Curl_str name;
if(!curlx_str_until(&chlg, &name, 64, '=') &&
!curlx_str_single(&chlg, '=')) {
int rc = curlx_str_quotedword(&chlg, &data, 256);
/* ... */
if(curlx_str_cmp(&name, key)) {
/* Fails when name contains leading whitespace */
/* ... */
}
if(curlx_str_single(&chlg, ',')) {
return false; /* OWS after comma is not skipped */
}
}
else
break;
} while(1);
return false;
}
## Impact
Security Impact
This parsing regression allows a malicious or compromised server to deliberately craft RFC-compliant WWW-Authenticate headers that cause curl clients to silently fail Digest authentication.
In security-sensitive environments (API clients, automation, CI/CD, package managers), this can be abused to:
- Trigger repeated authentication failures (DoS-style degradation)
- Force fallback to weaker authentication mechanisms (e.g., Basic auth, or unauthenticated requests depending on configuration)
- Break integrity assumptions in automated systems that rely on Digest authentication for request validation
Because the headers are RFC-compliant, clients cannot distinguish between legitimate and malicious challenges, making this a protocol-level attack surface rather than simple server misconfiguration.
A recent migration of the Digest authentication parsing logic to the curlx_str (strparse) API introduced two functional parsing regressions in lib/vauth/digest.c.
1. Optional Whitespace (OWS) Handling
The current implementation fails to skip optional whitespace after comma delimiters in WWW-Authenticate headers.
For example, in a challenge such as:
WWW-Authenticate: Digest realm="test", nonce="abc"
the parser incorrectly includes the leading space in the subsequent attribute name (e.g., " nonce"), causing key lookups to fail.
2. Escaped Quote Handling
The curlx_str_quotedword() helper used to parse quoted attribute values does not correctly handle escaped characters (e.g., \").
As a result, attribute values such as realm="My \"Cool\" Realm" are truncated or fail to parse entirely. This behavior differs from the previous manual parsing implementation, which handled escaped quotes correctly.
An AI assistant was used only for code navigation and understanding control flow. The issue was identified and verified manually.
Affected Version
• curl: 8.18.0-DEV (latest master branch)
• Platform: All (platform independent)
Steps To Reproduce
1. Set up a server or local listener that returns the following Digest challenge (note the space after the comma):
WWW-Authenticate: Digest realm="test", nonce="xyz"
2. Run : curl --digest -u user:pass http://localhost:8080/
3. Observe that curl fails to correctly parse the nonce and other parameters, resulting in an authentication failure (401 loop or error).
4. Repeat with an escaped quote inside an attribute value:
WWW-Authenticate: Digest realm="My \"Cool\" Realm", nonce="xyz"
5. Observe that curl truncates the realm value or fails to parse the challenge entirely.
6. Supporting Material / References
PoC Output (Python implementation):
- Testing challenge 1: nonce="abc",realm="def"
Found realm: def
- Testing challenge 2 (with space after comma): nonce="abc", realm="def"
FAILED to find realm (BUG CONFIRMED: whitespace issue)
- Testing challenge 3 (with escaped quote): nonce="foo\"bar",realm="def"
FAILED to find realm (BUG CONFIRMED: escape issue)
Relevant Code (lib/vauth/digest.c)
static bool auth_digest_get_key_value(const char *chlg, const char *key,
char *buf, size_t buflen)
{
do {
struct Curl_str data;
struct Curl_str name;
if(!curlx_str_until(&chlg, &name, 64, '=') &&
!curlx_str_single(&chlg, '=')) {
int rc = curlx_str_quotedword(&chlg, &data, 256);
/* ... */
if(curlx_str_cmp(&name, key)) {
/* Fails when name contains leading whitespace */
/* ... */
}
if(curlx_str_single(&chlg, ',')) {
return false; /* OWS after comma is not skipped */
}
}
else
break;
} while(1);
return false;
}
## Impact
Security Impact
This parsing regression allows a malicious or compromised server to deliberately craft RFC-compliant WWW-Authenticate headers that cause curl clients to silently fail Digest authentication.
In security-sensitive environments (API clients, automation, CI/CD, package managers), this can be abused to:
- Trigger repeated authentication failures (DoS-style degradation)
- Force fallback to weaker authentication mechanisms (e.g., Basic auth, or unauthenticated requests depending on configuration)
- Break integrity assumptions in automated systems that rely on Digest authentication for request validation
Because the headers are RFC-compliant, clients cannot distinguish between legitimate and malicious challenges, making this a protocol-level attack surface rather than simple server misconfiguration.
Basic Information
ID
H1:3473384
Published
Dec 20, 2025 at 11:55
Modified
Dec 21, 2025 at 21:44