Description
## Summary
A structural logic flaw in the `libcurl` `Alt-Svc` header parser allows attack attributes (specifically `persist` and `max-age`) to "leak" from one service definition to another.
We have successfully chained this logic bug with `curl`'s HTTP/3 (QUIC) support to demonstrate a **Persistent UDP Amplification** attack. An attacker can force a victim's client to cache a malicious UDP route for up to 30 days (`persist=1`), turning the client into an unwilling participant in a distributed denial-of-service (DDoS) attack against arbitrary targets.
## Affected version
Reproduced on: **curl 8.17.0** (and `libcurl` master branch)
Platform: **Linux/Generic** (Issue is cross-platform)
## Steps To Reproduce
1. **Setup Malicious Server**: Host an HTTP/HTTPS server that returns the following header:
`Alt-Svc: h3="<VICTIM_IP>:12345", h2=":443"; ma=2592000; persist=1`
2. **Trigger (Client Side)**: Run `curl --alt-svc cache.txt https://<ATTACKER_HOST>`
- *Logic Flaw*: `curl` correctly parses `persist=1` for `h2`, but **incorrectly applies it** to `h3` as well due to scope leakage in `lib/altsvc.c`.
3. **Verify Persistence**:
- Inspect `cache.txt`. You will see the `h3` entry for `<VICTIM_IP>` has the persistence flag set and a 30-day expiry.
4. **Verify Attack**:
- Kill the server/client.
- Run `curl https://<ATTACKER_HOST>` again (simulating a future visit).
- `curl` will immediately send a **1200-byte UDP QUIC Initial packet** to `<VICTIM_IP>:12345`.
## Supporting Material
- This utilizes a "Confused Deputy" amplification vector (Factor ~30x).
- Privacy Impact: The persistence flag allows "Server-Side Super Cookies" that track users across network changes.
## Impact
## Summary
This vulnerability transforms `libcurl` clients into a **Persistent Botnet** for UDP Amplification attacks.
1. **DDoS Amplification**: By injecting a malicious QUIC route, an attacker can designate *any* IP address as a target. Every victim who visits the attacker's site once becomes a permanent amplifier, sending heavy UDP traffic to the target on every subsequent visit.
2. **Privacy Violation**: The logic bug allows attackers to force `persist=1` on routes that should be ephemeral, enabling long-term user tracking that persists across network changes (bypassing standard anonymity protections).
A structural logic flaw in the `libcurl` `Alt-Svc` header parser allows attack attributes (specifically `persist` and `max-age`) to "leak" from one service definition to another.
We have successfully chained this logic bug with `curl`'s HTTP/3 (QUIC) support to demonstrate a **Persistent UDP Amplification** attack. An attacker can force a victim's client to cache a malicious UDP route for up to 30 days (`persist=1`), turning the client into an unwilling participant in a distributed denial-of-service (DDoS) attack against arbitrary targets.
## Affected version
Reproduced on: **curl 8.17.0** (and `libcurl` master branch)
Platform: **Linux/Generic** (Issue is cross-platform)
## Steps To Reproduce
1. **Setup Malicious Server**: Host an HTTP/HTTPS server that returns the following header:
`Alt-Svc: h3="<VICTIM_IP>:12345", h2=":443"; ma=2592000; persist=1`
2. **Trigger (Client Side)**: Run `curl --alt-svc cache.txt https://<ATTACKER_HOST>`
- *Logic Flaw*: `curl` correctly parses `persist=1` for `h2`, but **incorrectly applies it** to `h3` as well due to scope leakage in `lib/altsvc.c`.
3. **Verify Persistence**:
- Inspect `cache.txt`. You will see the `h3` entry for `<VICTIM_IP>` has the persistence flag set and a 30-day expiry.
4. **Verify Attack**:
- Kill the server/client.
- Run `curl https://<ATTACKER_HOST>` again (simulating a future visit).
- `curl` will immediately send a **1200-byte UDP QUIC Initial packet** to `<VICTIM_IP>:12345`.
## Supporting Material
- This utilizes a "Confused Deputy" amplification vector (Factor ~30x).
- Privacy Impact: The persistence flag allows "Server-Side Super Cookies" that track users across network changes.
## Impact
## Summary
This vulnerability transforms `libcurl` clients into a **Persistent Botnet** for UDP Amplification attacks.
1. **DDoS Amplification**: By injecting a malicious QUIC route, an attacker can designate *any* IP address as a target. Every victim who visits the attacker's site once becomes a permanent amplifier, sending heavy UDP traffic to the target on every subsequent visit.
2. **Privacy Violation**: The logic bug allows attackers to force `persist=1` on routes that should be ephemeral, enabling long-term user tracking that persists across network changes (bypassing standard anonymity protections).
Basic Information
ID
H1:3483902
Published
Jan 1, 2026 at 11:56
Modified
Jan 2, 2026 at 21:35