{“lastseen”:”2025-11-11T07:25:47″,”description”:”## Summary:\\ncurl is vulnerable to silent Man-in-the-Middle (MITM) attacks\\ndue to its design, which implicitly trusts the CA certificate path specified in the CURL_CA_BUNDLE environment variable.\\n\\nThis mechanism allows the entire TLS trust model (chain of trust) of curl to be hijacked without any warning or notification to the user. This fundamentally violates the security promise of HTTPS connections, where users trust that curl will strictly verify server identities. By failing to warn when the system trust store is replaced, curl creates a false sense of security, allowing attackers to decrypt and manipulate HTTPS traffic.\\n\\nI confirm that I performed the vulnerability discovery and core technical analysis manually. However, AI tools (such as Gemini\/ChatGPT) were utilized solely for summarizing the findings, calculating the CVSS score, and drafting the formal report structure based on my raw technical data. AI was not used to generate the exploit code or perform the scan\/discovery.\\n\\n## Affected version\\ncurl\/libcurl version: 8.15.0\\nplatform: x86_64-pc-linux-gnu\\nRelease-Date: 2025-07-16, security patched: 8.15.0-1\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss\\nFeatures: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd\\n\\n## Steps To Reproduce:\\nPrepare two terminals.\\n\\nIn the first terminal\\n 1. download tools mitmproxy ( sudo apt install mitmproxy )\\n 2. After that, run the mitmproxy \\n 3. and then click n \\n\\nsecond terminal\\n 1. Type the command in the terminal\\nexport CURL_CA_BUNDLE=~\/.mitmproxy\/mitmproxy-ca-cert.pem\\n\\n 2. Run curl to make an HTTPS request through the mitmproxy proxy. Users are unaware that TLS trust has been compromised.\\ncurl –proxy http:\/\/localhost:8080 https:\/\/example.com\\n\\nExploit Verification (`curl` Failure):\\n* In the second `curl` Terminal: The command executed successfully without any SSL\/TLS errors. This is proof that curl has silently accepted a fake CA and incorrectly reported the connection as secure.\\n* In the first terminal `mitmproxy` window: You will see HTTPS traffic from example.com in plain text (plaintext). This proves that the MITM attack was successful, and the confidentiality and integrity of the connection have been completely compromised.\\n\\n## Supporting Material\/References:\\n1. CWE-295: Improper Certificate Validation\\n2. The root cause of this security issue lies in how `curl` handles trust store replacement.\\nfile source: `src\/tool_operate.c`\\n\\nenvironment and use it to replace the system’s default trust store. Its failure is that it does not treat this operation as a highly security-sensitive action that requires explicit warning to the user. It is this silent replacement that undermines the HTTPS security model.\\n\\n## Impact\\n\\n## Summary: The impact of this design vulnerability is Critical. It allows for complete interception and manipulation of HTTPS traffic through Man-in-the-Middle (MITM) attacks.\\n\\n* Total Loss of Confidentiality and Integrity: Attackers can read and modify all data sent or received by curl over HTTPS connections, including:\\n * Login Credentials (Username, Password)\\n * API Keys and Authentication Tokens (Bearer Tokens)\\n * Session Cookies\\n * Personal and Financial Data\\n \\n* Creation of a False Sense of Security: This is the most dangerous impact. Users see https:\/\/ and believe that their connection is secure and verified. However, curl has secretly violated this security promise. curl’s failure to warn users about the trust store replacement turns it from a secure tool into an attack vector.\\n\\nThis is not a matter of users being tricked into running commands, but rather `curl` failing to fulfill its fundamental security responsibility of enforcing TLS connection integrity.”,”published”:”2025-11-10T18:04:42″,”modified”:”2025-11-11T06:40:52″,”type”:”hackerone”,”title”:”curl: Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM”,”source”:””,”references”:””,”id”:”H1:3418776″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3418776″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-11T07:25:47″,”description”:”## Summary:\\ncurl is vulnerable to silent Man-in-the-Middle (MITM) attacks\\ndue to its design, which implicitly trusts the CA certificate path specified in the CURL_CA_BUNDLE environment variable.\\n\\nThis…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-25541","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n