{“lastseen”:”2025-11-20T09:30:44″,”description”:”Summary\\n-\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c Component: libcurl core HTTP handling (HTTP\/2 request translation and CONNECT detection)\\n- Type: out-of-bounds read resulting from missing null-termination\\n- Impact: Behavior not defined by the specification, the program can crash (DoS) and CONNECT requests can be misclassified\\n- Root cause: The method string was copied without a null \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200ctermin\\n\\nAffected\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c code paths\\n- Struct layout:\\n- struct httpreq { … char method[1]; }\\n- Allocation and copy (no NUL):\\n- req = calloc(1, sizeof(*req) + m_len);\\n- memcpy(req-\\u003emethod, method, m_len);\\n\\n- Unsafe uses:\\n- strcmp(\\”CONNECT\\”, req-\\u003emethod) \u2014 assumes null-terminated string\\n- strlen(req-\\u003emethod) \u2014 sizes HTTP\/2 pseudo-header :method\\n\\nDirect risk: Both strcmp and strlen may access memory beyond what has been allocated if req-\\u003emethod[m_len] is out-of-bounds. The impact varies with the allocator\/layout; ASan will always detect \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200cthis.\\n\\nSteps\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c to reproduce (concise)\\n\\n- Prereqs: make sure CMake and nghttp2 are installed\\n- What version outputs are you having:\\n“`bash\\n cmake –version \\n“`\\n“`text\\n\u2192 3.26.2\\n“`\\n\\n“`bash\\npkg-config –modversion libnghttp2 \\n“`\\n“`text\\n\u2192 1.52.0\\n“`\\n\\nBuild curl with ASan + HTTP\/2:\\n\\n\\n“`bash\\nmkdir -p build \\u0026\\u0026 cmake -B build -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS=’-O1 -g -fsanitize=address’ -DCMAKE_EXE_LINKER_FLAGS=’-fsanitize=address’ -DCURL_USE_NGHTTP2=ON\\n“`\\n“`bash\\ncmake –build build -j\\”$(nproc)\\”\\n“`\\nVerify binary and features:\\n\\n“`bash\\n.\/src\/curl \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c–version\\n“`\\n{F5027206}\\n\\n## Impact\\n\\nImpact\\n\\n-\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c Denial of Service\/crash: Out of bounds read occurring during the creation of HTTP\/2 pseudo-headers or checking CONNECT logic.\\n-\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c Logic flaw: The function for detecting CONNECT might behave differently due to a comparison of an uninitialized value being performed.\\n\\n- Trigger surface: Any path which produces a struct httpreq (e.g., custom methods) and then executes HTTP\/2 translation or CONNECT \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200cchecks\\n\\nProposed\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c repair (minimal and robust)\\n\\n- In both creators, not only add a null terminator but also allocate memory for \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200cit:\\n\\n“`diff\\n- req = calloc(1, sizeof(*req) + m_len);\\n+ req = calloc(1, sizeof(*req) + m_len + 1);\\n if(!req) goto out;\\n memcpy(req-\\u003emethod, method, m_len);\\n+ req-\\u003emethod[m_len] = ‘\\\\0’;\\n“`\\n\\n-\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c Locations to change:\\nCurl_http_req_make\\nCurl_http_req_make2\\nThis change removes local undefined reads without changing the logic. Optional hardening: replace \u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200cstrcmp(\\”CONNECT\\”,”,”published”:”2025-11-20T03:47:41″,”modified”:”2025-11-20T09:20:56″,”type”:”hackerone”,”title”:”curl: Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We\u2019ve got a real memory-safety bug ins”,”source”:””,”references”:””,”id”:”H1:3434510″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3434510″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-20T09:30:44″,”description”:”Summary\\n-\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c\u200b\u200d\u200b\u200c\u200d\u200b\u200d\u200c Component: libcurl core HTTP handling (HTTP\/2 request translation and CONNECT detection)\\n- Type: out-of-bounds read resulting from missing null-termination\\n- Impact: Behavior not defined by the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-26965","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n