hackerone - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
NONE	H1:3442024	curl: runs javascript on powershell when it shouldnt_H1:3442024 On windows, if I run a curl on powershell for a script that should show alert(1) it just executes the script when it shouldn't. I did not use AI t...	N/A	N/A	Nov 26, 2025	HACKERONE
NONE	H1:3442060	curl: Infinite loop issue in the state machine of the curl project_H1:3442060 ## Summary: Vulnerability impact: When curl attempts to download files from a malicious FTP server, it triggers an infinite loop in the code execu...	N/A	N/A	Nov 26, 2025	HACKERONE
NONE	H1:3434510	curl: Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins_H1:3434510 Summary -‍‌‍‍‌‍‌‍‍‌ Component: libcurl core HTTP handling (HTTP/2 request translation and CONNECT detection) - Type: out-of-bounds read resul...	N/A	N/A	Nov 20, 2025	HACKERONE
NONE	H1:3431180	curl: Double free in tool_ssls_load()_H1:3431180 ## Summary: There is a double-free bug(s) in tool_ssls_load(), which can happen at line 83-84 or 129-130 (tool_ssls.c): ```c curl_free(shmac);...	N/A	N/A	Nov 18, 2025	HACKERONE
NONE	H1:3427670	curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash_H1:3427670 ## Summary: There is a double-free in libcurl with rustls. The root cause is reported and it is fixed in https://github.com/curl/curl/pull/19425, w...	N/A	N/A	Nov 16, 2025	HACKERONE
NONE	H1:3427194	curl: Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration_H1:3427194 ## Summary: When a user runs `curl -OJ `, a malicious server can force the response to be saved as `.curlrc` in the working directory. If the user ...	N/A	N/A	Nov 15, 2025	HACKERONE
NONE	H1:3427343	curl: Off-by-One Buffer Overflow in SMB Path Handler_H1:3427343 ## Summary Found an off-by-one buffer overflow in `lib/smb.c` when handling SMB file paths. The bounds check uses `>` instead of `>=`, allowing a ...	N/A	N/A	Nov 15, 2025	HACKERONE
NONE	H1:3427460	curl: Incorrect sizeof() in Rustls Backend Memory Allocation_H1:3427460 ## Summary There's a bug in `lib/vtls/rustls.c` where `malloc()` uses `sizeof(cipher_suites)` instead of `sizeof(*cipher_suites)`. This allocates ...	N/A	N/A	Nov 15, 2025	HACKERONE
NONE	H1:3418861	curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)_H1:3418861 ftp_parse_url_path in lib/ftp.c URL-decodes FTP path segments (e.g. %2e%2e) and then splits the decoded path into components using an ad-hoc loop t...	N/A	N/A	Nov 10, 2025	HACKERONE
NONE	H1:3419617	curl: Hash exposed in public repository_H1:3419617 An image hash is publicly exposed on Github Steps to reproduce: See at >> https://github.com/curl/curl/blob/master/Dockerfile Solution: # If you...	N/A	N/A	Nov 11, 2025	HACKERONE