{“lastseen”:”2025-11-11T16:25:46″,”description”:”ftp_parse_url_path in lib\/ftp.c URL-decodes FTP path segments (e.g. %2e%2e) and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by \/\/. The code does not perform canonical path normalization (no stack-based handling of . or ..). As a result, encoded traversal sequences such as %2e%2e decode to .. and may become normal path components that cause libcurl to issue CWD .. commands to the remote FTP server. This enables client-driven directory traversal in contexts where an attacker can supply an FTP URL to an application using libcurl.\\n\\nAI usage statement: I used an AI assistant to help draft and structure this report. All technical claims, tests and trace excerpts were executed and verified manually by me in a local test environment. I did not use AI to generate exploit code.\\n\\nAffected version\\n\\nPlease include the exact output of curl -V here when submitting.\\n(Example placeholder \u2014 replace with your exact output):\\n\\ncurl 8.4.0 (x86_64-pc-linux-gnu) libcurl\/8.4.0 OpenSSL\/1.1.1k zlib\/1.2.11\\n\\n\\nTest environment used for verification: Debian-based VM (local build or system curl), pyftpdlib test FTP server (pyftpdlib 2.1.0 used in my tests).\\n\\nSteps To Reproduce:\\n\\nOnly run these steps in an environment you control.\\n\\nPrepare local test directories and files:\\n\\nmkdir -p ~\/curl-test\/dir ~\/curl-test\/testdir\\necho \\”INSIDE\\” \\u003e ~\/curl-test\/dir\/inside.txt\\necho \\”OUTSIDE\\” \\u003e ~\/curl-test\/testdir\/outside.txt\\ncd ~\/curl-test\\n\\n\\nStart a simple local FTP server in that directory (example):\\n\\n# If not installed: python3 -m pip install pyftpdlib\\npython3 -m pyftpdlib -w\\n# Server serves current directory on 127.0.0.1:2121 (or default FTP port)\\n\\n\\nRun curl with trace enabled using an URL that contains an encoded traversal adjacent to repeated slashes:\\n\\ncurl –trace-ascii curl_trace.txt -v \\”ftp:\/\/127.0.0.1:2121\/dir\/\/%2e%2e\/testdir\\” 2\\u003e\\u00261 | tee curl_stdout.txt\\n\\n\\nInspect curl_trace.txt for the CWD commands. Example trace excerpt (observed locally):\\n\\n\\u003e CWD dir\\n\\u003c 250 \\”\/dir\\” is the current directory.\\n\\u003e CWD ..\\n\\u003c 250 \\”\/\\” is the current directory.\\n\\n\\nThis shows that %2e%2e was decoded to .. and libcurl attempted CWD …\\n\\nSupporting Material\/References:\\n\\nAll evidence provided inline as text (no attachments).\\n\\nTrace excerpt (text-only):\\n\\n\\u003e CWD dir\\n\\u003c 250 \\”\/dir\\” is the current directory.\\n\\u003e CWD ..\\n\\u003c 250 \\”\/\\” is the current directory.\\n\\n\\nRelevant local code pointers (text-only):\\n\\n\/* url-decode ftp path before further evaluation *\/\\nresult = Curl_urldecode(ftp-\\u003epath, 0, \\u0026ftpc-\\u003erawpath, \\u0026pathLen, REJECT_CTRL);\\n\\n\/* parse the URL path into separate path components *\/\\nwhile(dirAlloc–) {\\n const char *spos = strchr(curPos, ‘\/’);\\n size_t clen = spos – curPos;\\n if(!clen \\u0026\\u0026 (ftpc-\\u003edirdepth == 0))\\n ++clen;\\n \/* we skip empty path components, like \\”x\/\/y\\” … *\/\\n if(clen) {\\n ftpc-\\u003edirs[ftpc-\\u003edirdepth].start = (int)(curPos – rawPath);\\n ftpc-\\u003edirs[ftpc-\\u003edirdepth].len = (int)clen;\\n ftpc-\\u003edirdepth++;\\n }\\n curPos = spos + 1;\\n}\\n\\n\/* sink: later used to send CWD *\/\\nresult = Curl_pp_sendf(data, \\u0026ftpc-\\u003epp, \\”CWD %s\\”, ftpc-\\u003eentrypath);\\n\\n## Impact\\n\\nPath Traversal (CWE-22) \u2014 Improper Input Validation (CWE-20)\\n\\nOverview:\\nBecause libcurl decodes URL-encoded path segments before canonicalization and then accepts decoded .. components as valid path elements, an attacker who controls an FTP URL may cause libcurl to issue CWD .. commands. This client-side behavior can be leveraged in realistic attack scenarios where libcurl is used by applications for automated FTP fetches.\\n\\nRealistic attack scenarios \\u0026 consequences:\\n\\nRemote file disclosure (Confidentiality): An attacker can craft a URL that causes libcurl to traverse to parent directories and attempt RETR on files outside the intended directory. In automated downloaders, update fetchers, backup\/restore scripts, or content importers that accept external FTP URLs, this may expose sensitive configuration files, credentials, or private data.\\n\\nExample: ftp:\/\/victim-server\/uploads\/%2e%2e\/private\/secret.cfg may lead the client to CWD uploads \u2192 CWD .. \u2192 RETR private\/secret.cfg depending on server behavior and client usage.\\n\\nBypass of client-side filters (Integrity\/Authorization): Applications that perform naive sanitization (e.g., simply searching for literal ..) can be bypassed by sending encoded equivalents (%2e%2e) because decoding occurs before canonicalization.\\n\\nSupply chain \\u0026 automation abuse: Software that automatically processes FTP URLs (e.g., CI\/CD, synchronization tools) could be tricked into fetching or overwriting files outside the permitted area, leading to broader system compromise or corruption.\\n\\nVariance by server implementation: The concrete impact depends on the FTP server\u2019s path handling. Some servers may ignore .., some may enforce chroot-like restrictions, and some may honor CWD … If the server honors CWD .. and the client has permissions to access files above the target directory, the impact is higher.\\n\\nExploitability \/ Preconditions:\\n\\nAttacker must be able to supply an FTP URL that is processed by an application using libcurl (this is common in automated workflows or user-provided URL features).\\n\\nNo special authentication is required in the core logic: if the client is unauthenticated and the server allows directory changes, it may be exploitable unauthenticated; otherwise, impact is limited by authentication and server configuration.\\n\\nSeverity \\u0026 CVSS guidance (estimate):\\n\\nSuggested severity: High.\\n\\nCVSS example vector (estimate for remote readability, no privileges, no user interaction):\\nAV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:L\/A:N \u2192 CVSS ~7.x\\n(Adjust upward if unauthenticated access to highly sensitive data is possible.)\\n\\nWhy this is significant:\\nThis is not merely a formatting bug \u2014 it is a parsing\/normalization logic gap that can be reliably triggered by encoded input. Many applications implicitly trust libcurl for correct path handling; if libcurl issues unintended CWD\/RETR commands based on crafted URLs, confidential files could be exposed or automation workflows abused.\\n\\nSuggested remediation summary (recap):\\n\\nPerform canonical path normalization after URL-decoding and before splitting into path components (stack-based . \/ .. handling, collapse \/\/).\\n\\nReject paths that attempt to traverse above the allowed root for absolute paths (return an error instead of sending CWD).\\n\\nAdd unit tests for encoded traversal cases and mixed permutations.”,”published”:”2025-11-10T19:43:52″,”modified”:”2025-11-11T16:16:19″,”type”:”hackerone”,”title”:”curl: libcurl FTP path normalization flaw allows decoded %2e%2e \u2192 CWD .. and directory escape (Path Traversal, CWE-22)”,”source”:””,”references”:””,”id”:”H1:3418861″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3418861″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-11T16:25:46″,”description”:”ftp_parse_url_path in lib\/ftp.c URL-decodes FTP path segments (e.g. %2e%2e) and then splits the decoded path into components using an ad-hoc loop that skips empty components…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-25670","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n