{"id":19759,"date":"2025-10-01T02:58:48","date_gmt":"2025-10-01T02:58:48","guid":{"rendered":"http:\/\/localhost\/?p=19759"},"modified":"2025-10-01T02:58:48","modified_gmt":"2025-10-01T02:58:48","slug":"curl-aws-sigv4-signature-disclosure-via-verbose-logging-in-libcurl","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=19759","title":{"rendered":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913"},"content":{"rendered":"

{“lastseen”:”2025-10-01T07:25:44″,”description”:”## Summary\\n\\nWhen libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `–verbose`) causes the library to print both the **string-to-sign** and the **final HMAC signature** into logs.\\n\\nBecause signatures remain valid for several minutes and are derived directly from AWS credentials, this behavior leaks sensitive material into log files or consoles. Any operator, log aggregation system, or low-privileged account with read access to those logs can **replay authenticated AWS API calls** or recover details of signed requests.\\n\\nThis is a **credential leakage vulnerability** in libcurl\u2019s `http_aws_sigv4.c`.\\n\\n—\\n\\n## Affected Component\\n\\n* File: `lib\/http_aws_sigv4.c`\\n* Function: `aws_sigv4_add()`, which calls `infof()` with the string-to-sign and the computed signature.\\n* Affects: latest libcurl (tested on 8.x) with AWS SigV4 signing enabled.\\n\\n—\\n\\n## Steps to Reproduce\\n\\n- 1. Setup\\n\\n* Build libcurl with AWS SigV4 enabled (default since 7.75.0).\\n* Export valid AWS credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`).\\n* Enable verbose mode (`–verbose` or `CURLOPT_VERBOSE`).\\n\\n- 2. Run a Signed Request\\n\\nRun a simple signed AWS request, e.g. list S3 buckets:\\n\\n“`bash\\nAWS_ACCESS_KEY_ID=AWS_ACCESS_KEY… \\\\\\nAWS_SECRET_ACCESS_KEY=SECRET… \\\\\\ncurl –aws-sigv4 \\”aws:amz:us-east-1:s3\\” \\\\\\n –verbose \\\\\\n https:\/\/s3.amazonaws.com\/\\n“`\\n\\n- 3. Observe Logs\\n\\nIn the console (or redirected logs), libcurl prints sensitive information:\\n\\n“`\\n* string-to-sign: AWS4-HMAC-SHA256 20250929T124500Z …\\n* signature: 7a5d1c84e2c3d8f9…\\n“`\\n\\n – 4. Replay the Request\\n\\nAn attacker with access to these logs can immediately replay the request for several minutes:\\n\\n“`bash\\ncurl -H \\”Authorization: AWS4-HMAC-SHA256 Credential=…, SignedHeaders=…, Signature=7a5d1c84e2c3d8f9…\\” \\\\\\n https:\/\/s3.amazonaws.com\/\\n“`\\n\\nThe replay succeeds as long as the signature is within the validity window (typically 5 minutes).\\n\\n—\\n\\n## Impact\\n\\n* **Confidentiality:** AWS API credentials\/signatures are leaked into logs.\\n* **Integrity:** Attackers can **replay AWS API calls** (e.g., list buckets, upload\/download objects).\\n* **Availability:** Replay could be abused to flood services with valid signed requests.\\n* **Realistic scenario:** Any team using `–verbose` for troubleshooting, or logging libcurl output to central log collectors, unintentionally leaks AWS secrets to less-trusted operators.”,”published”:”2025-09-29T16:45:59″,”modified”:”2025-10-01T07:00:06″,”type”:”hackerone”,”title”:”curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl”,”source”:””,”references”:””,”id”:”H1:3361913″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3361913″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-10-01T07:25:44″,”description”:”## Summary\\n\\nWhen libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `–verbose`) causes the library to print both the **string-to-sign** and the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-19759","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\ncurl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=19759\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-10-01T07:25:44″,”description”:”## SummarynnWhen libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `–verbose`) causes the library to print both the **string-to-sign** and the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=19759\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-01T02:58:48+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913\",\"datePublished\":\"2025-10-01T02:58:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759\"},\"wordCount\":498,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"hackerone\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=19759#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759\",\"name\":\"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-10-01T02:58:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=19759\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=19759#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=19759","og_locale":"en_US","og_type":"article","og_title":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem","og_description":"{“lastseen”:”2025-10-01T07:25:44″,”description”:”## SummarynnWhen libcurl is built with AWS SigV4 support, enabling **verbose logging** (`CURLOPT_VERBOSE` or `–verbose`) causes the library to print both the **string-to-sign** and the...","og_url":"https:\/\/zero.redgem.net\/?p=19759","og_site_name":"zero redgem","article_published_time":"2025-10-01T02:58:48+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=19759#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=19759"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913","datePublished":"2025-10-01T02:58:48+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=19759"},"wordCount":498,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","hackerone","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=19759#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=19759","url":"https:\/\/zero.redgem.net\/?p=19759","name":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-10-01T02:58:48+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=19759#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=19759"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=19759#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl_H1:3361913"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/19759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=19759"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/19759\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=19759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=19759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=19759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}