{“lastseen”:”2025-11-10T16:40:11″,”description”:”## Summary:\\nThe Arbitrary Configuration File Inclusion (ACFI) vulnerability was identified in the curl utility via the –config \\u003cfile\\u003e option. This flaw is a form of External Control of File Name or Path (CWE-73), occurring due to the lack of adequate validation on the user-supplied configuration file path.\\n\\nAn attacker can leverage this weakness to:\\nTrick a user into executing curl with a malicious configuration file located at an arbitrary path (e.g., \/tmp\/malicious.curlrc).\\n\\nSignificantly control curl’s behavior, including setting dangerous options such as url = \\”file:\/\/\/\\” and output = \\”…\\”.\\n\\nThe impact is Critical, potentially allowing the attacker to perform a Local File Read of sensitive files like \/etc\/passwd and an Arbitrary File Write to arbitrary locations on the victim’s system.\\n\\n\\”I confirm that I performed the vulnerability discovery and core technical analysis manually. However, AI tools (such as Gemini\/ChatGPT) were utilized solely for summarizing the findings, calculating the CVSS score, and drafting the formal report structure based on my raw technical data. AI was not used to generate the exploit code or perform the scan\/discovery.\\”\\n\\n## Affected version\\ncurl\/libcurl version : 8.15.0\\nplatform : x86_64-pc-linux-gnu\\n\\n## Steps To Reproduce:\\n[add details for how we can reproduce the issue]\\n\\n 1. create a malicious configuration file :\\nOpen the terminal and run the following command to create a file named \/tmp\/malicious.curlrc. This file will instruct curl to read the \/etc\/passwd file and save it to \/tmp\/stolen_passwd.txt.\\n\\necho ‘url = \\”file:\/\/\/etc\/passwd\\”‘ \\u003e \/tmp\/malicious.curlrc\\necho ‘output = \\”\/tmp\/stolen_passwd.txt\\”‘ \\u003e\\u003e \/tmp\/malicious.curlrc\\n\\n 2. and then Run curl and direct it to use the configuration file you just created using the –config\\n\\ncurl –config \/tmp\/malicious.curlrc\\n\\n 3. Then we check whether the file \/tmp\/stolen_passwd.txt has been successfully created and contains the contents of \/etc\/passwd.\\n\\ncat \/tmp\/stolen_passwd.txt\\n\\nThe results are in.\\n\\ncurl executes instructions from configuration files without warning, reads sensitive local files (\/etc\/passwd), and writes them to a location specified by the attacker (\/tmp\/stolen_passwd.txt).\\n\\nThis proves that attackers can read arbitrary local files and write to locations accessible to users running curl\\n\\n## Supporting Material\/References:\\nThis vulnerability stems from the way curl parses configuration files without adequate path validation.\\n\\nsource file: \/curl\/src\/\\n\\nThe curlx_fopen function is called with a filename that is directly controlled by the user via the –config argument.\\nvulnerable lines of code : \\nfile = curlx_fopen(filename, FOPEN_READTEXT);\\n\\nExecution point (sink): Each line of the configuration file is then processed by the `getparameter` function, which executes malicious instructions such as `url` and `output`.\\ncode :\\nres = getparameter(option, param, \\u0026usedarg, config, max_recursive);\\n\\n * [attachment \/ reference]\\n CWE-73: External Control of File Name or Path\\n\\n## Impact\\n\\n## Summary: The impact of this vulnerability is Critical, as it gives attackers the ability to perform several dangerous actions on the target system, depending on the access rights of the user running curl.\\n\\n 1. Sensitive Information Disclosure:\\nAn attacker can read any file accessible to the user. This\\nincludes, but is not limited to:\\n* User Credentials: Private SSH keys (~\/.ssh\/id_rsa), shell\\nhistory files (~\/.bash_history), API tokens, or cloud credentials stored in ~\/.aws\/credentials.\\n* Application Secrets: Configuration files containing database passwords, API keys, or other sensitive data.\\n* System Data: Files such as \/etc\/passwd or system logs that can be used for user enumeration and system mapping.\\n\\n 2. File Modification and Potential Code Execution (Arbitrary File Write \\u0026 Code Execution):\\n By using output parameters in configuration files, attackers can write or overwrite files in permitted locations. Attack scenarios\\n include:\\n* Achieving Persistent Code Execution: Overwriting startup shell files such as ~\/.bashrc or ~\/.profile to insert malicious commands that will be executed every time a user logs in.\\n* Planting a Web Shell: If curl is run by the web server, attackers can write PHP files or other scripts to the web directory\\n(\/var\/www\/html\/shell.php), which gives them remote shell access.\\n* Compromising System Integrity: Overwriting important files that can cause Denial of Service (DoS).\\n\\n3. SSRF (Server-Side Request Forgery) Attack:\\n An attacker can force the server to make network requests to internal resources that are not accessible from the outside. By setting url = \u201chttp:\/\/169.254.169.254\/latest\/meta-data\/\u201d (in an AWS environment) or url = \u201chttp:\/\/localhost:8080\/admin\u201d, attackers can scan the internal network and steal data from internal services.\\n\\nOverall, this vulnerability compromises the three pillars of security: Confidentiality, Integrity, and potentially Availability of the system.”,”published”:”2025-11-10T15:55:21″,”modified”:”2025-11-10T16:21:14″,”type”:”hackerone”,”title”:”curl: Arbitrary Configuration File Inclusion: via External Control of File Name or Path”,”source”:””,”references”:””,”id”:”H1:3418646″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3418646″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-10T16:40:11″,”description”:”## Summary:\\nThe Arbitrary Configuration File Inclusion (ACFI) vulnerability was identified in the curl utility via the –config \\u003cfile\\u003e option. This flaw is a form of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-25423","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n