{“lastseen”:”2025-11-16T23:25:48″,”description”:”## Summary:\\nThere is a double-free in libcurl with rustls.\\nThe root cause is reported and it is fixed in https:\/\/github.com\/curl\/curl\/pull\/19425, while I did not try to evaluate the actual triggering at that time.\\n\\nNo AI was used to find the issue or generate the report.\\n\\n## Affected version\\nIt was introduced via commit https:\/\/github.com\/curl\/curl\/commit\/088f0e6a5b8d934073a0e089ebecd14ca75120c4 on Mar 25, 2025.\\nIt affected the official version from v8.13.0 to v8.17.0.\\n\\n## Steps To Reproduce:\\n1. Installation:\\n (1) Install rustls-ffi via https:\/\/github.com\/rustls\/rustls-ffi\/releases\/download\/v0.15.0\/librustls_0.15.0_amd64.deb.zip.\\n (2) Build curl-8_17_0 from source. (my configure is: \\”.\/configure –enable-debug –enable-static –disable-shared –with-rustls\\”)\\n2. Compile the basic PoC program via \\”gcc -o test_rustls_fail test.c -I.\/include .\/lib\/.libs\/libcurl.a -lnghttp2 -lpsl -lrustls -lpthread -lz -fsanitize=address -g\\” (The source of PoC program is attached). The basic target is to trigger NoServerCertVerifier of rustls_client_config_builder_build() at https:\/\/github.com\/rustls\/rustls-ffi\/blob\/0b5f053fe5200e262ed70c100cc5486ce76d9d8a\/librustls\/src\/client.rs#L505.\\nIn cr_init_backend, https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/vtls\/rustls.c#L1046-L1067 is for setting the verifier. Once `!conn_config-\\u003everifypeer`, `ssl_config-\\u003enative_ca_store` and `(ca_info_blob || ssl_cafile)` are not satisfied, then the verifier will not be inited.\\n3. Run the PoC program. The output\/sanitizer info will show the double-free problem.\\n\\nNote:\\nI did not fully try other unsuccessful possibilities of rustls_client_config_builder_build(). The PoC is just a real triggering case to show the existence of double-free.\\nBased on my personal analysis, it is mainly affect the libcurl and it is hard to reproduce it in a controllable manner for curl tool.\\nHowever, there is still a risk of curl crashing in the oom scenario.\\nFor example, the API `rustls_client_config_builder_dangerous_set_certificate_verifier` returns OK yet the verifier may not be successfully set due to oom at https:\/\/github.com\/rustls\/rustls-ffi\/blob\/0b5f053fe5200e262ed70c100cc5486ce76d9d8a\/librustls\/src\/client.rs#L218.\\n\\nMaybe we can also further prevent it earlier just like below:\\n“`c\\n else if(ca_info_blob || ssl_cafile) {\\n result = init_config_builder_verifier(data,\\n config_builder,\\n conn_config,\\n ca_info_blob,\\n ssl_cafile);\\n if(result != CURLE_OK) {\\n rustls_client_config_builder_free(config_builder);\\n return result;\\n }\\n }\\n+ else {\\n+ rustls_client_config_builder_free(config_builder);\\n+ return CURLE_SSL_CONNECT_ERROR;\\n+ }\\n“`\\n\\n## Supporting Material\/References:\\nThe source of PoC program.\\n\\n* Please see the attached file `test.c`.”,”published”:”2025-11-16T07:32:52″,”modified”:”2025-11-16T22:40:20″,”type”:”hackerone”,”title”:”curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash”,”source”:””,”references”:””,”id”:”H1:3427670″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3427670″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-16T23:25:48″,”description”:”## Summary:\\nThere is a double-free in libcurl with rustls.\\nThe root cause is reported and it is fixed in https:\/\/github.com\/curl\/curl\/pull\/19425, while I did not try to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-26427","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n