{“lastseen”:”2025-10-28T07:25:47″,”description”:”## Executive Summary\\n`Curl_fopen()` clones the permissions of any pre-existing persistence file when creating its temporary file. When the persistence file does not exist, it first creates one with the process umask (typically `022`, i.e., `0644`). That mode is then copied to the temp file via `0600` | `sb.st_mode`, so the final cookie\/HSTS\/Alt-Svc store ends up group\/other-readable even though it contains bearer tokens. (`lib\/curl_fopen.c:101-150`)\\n\\nAll stateful persistence features that rely on `Curl_fopen()`\u2014`cookie_output()`, `Curl_hsts_save()`, and `Curl_altsvc_save()`\u2014inherit this behavior, leaking session cookies, HSTS cache entries, and Alt-Svc metadata to any local user.\\n\\n## Steps To Reproduce\\nEnvironment: `macOS 26.1 Dev Beta 4`, `commit a49e4e3d16991465144558f405b2d7972824abb0`, built with `.\/configure –disable-shared –with-openssl=\/opt\/homebrew\/opt\/openssl@3 –without-libpsl \\u0026\\u0026 make -j8`.\\n\\n1. Ensure no leftover file and simulate a normal multi-user umask:\\n“`\\nrm -f \/tmp\/cookie-leak.txt \\u0026\\u0026 umask 022 \\\\\\n\\u0026\\u0026 .\/src\/curl -s -o \/dev\/null -c \/tmp\/cookie-leak.txt https:\/\/example.org \\\\\\n\\u0026\\u0026 ls -l \/tmp\/cookie-leak.txt\\n.rw-r–r– 131 geeknik 26 Oct 22:22 \/tmp\/cookie-leak.txt\\n“`\\n{F4935751}\\nThe cookie jar is created even though no cookies were set, which is enough to demonstrate the default mode of `0644`.\\n\\n2. As another local user simply `cat \/tmp\/cookie-leak.txt`, read the file contents\u2014full session cookies would be exposed in real traffic. The same reproduction works for `–hsts` and `–alt-svc` files because they call `Curl_fopen()` with identical code paths.\\n\\nAdditionally, we were able to reproduce this behavior on Fedora with `curl 8.6.0` (x86_64-redhat-linux-gnu).\\n\\n## CVSS v3.0\\nAV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N \\n\\n## Suggested Fix\\nReplace [lines 140-141](https:\/\/github.com\/curl\/curl\/blob\/a49e4e3d16991465144558f405b2d7972824abb0\/lib\/curl_fopen.c#L140) with:\\n“`c\\n fd = curlx_open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);\\n“`\\n\\n## Impact\\n\\nAny local user on the same host (shared CI runners, university shells, managed desktops, etc.) can read authentication cookies, session tokens, CSRF nonces, HSTS preload data, or Alt-Svc targets written by another user\u2019s curl\/libcurl client. Immediate consequences range from full account takeover (cookie replay) to bypassing HSTS (by rewriting the file before the victim reads it) and intelligence gathering on internal endpoints listed in Alt-Svc caches. Because the files are written automatically whenever `CURLOPT_COOKIEJAR`, `CURLOPT_HSTSWRITEFUNCTION`, or `CURLOPT_ALTSVC` are used, even well-configured automation unintentionally leaks secrets to co-resident users.”,”published”:”2025-10-27T04:09:34″,”modified”:”2025-10-28T07:09:05″,”type”:”hackerone”,”title”:”curl: curl\u2019s persistence files inherit world-readable\/writable perms from umask, leaking and tampering with cookies\/HSTS\/Alt-Svc caches”,”source”:””,”references”:””,”id”:”H1:3400761″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3400761″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-28T07:25:47″,”description”:”## Executive Summary\\n`Curl_fopen()` clones the permissions of any pre-existing persistence file when creating its temporary file. When the persistence file does not exist, it first…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-23672","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n