{“lastseen”:”2025-12-01T08:25:47″,”description”:”## Summary:\\nThe `file:\/\/` protocol handler in curl does not properly sanitise or block path traversal sequences (`..\/`). This allows a maliciously crafted `file:\/\/` URL to escape the intended directory and access arbitrary files on the filesystem with the permissions of the user running curl.\\n\\nWhen curl is used as a library by another application (e.g., a web server backend) that processes user-supplied URLs, this can be escalated to a remote, arbitrary file read vulnerability.\\n\\nNo AI was used to find this issue or generate this report.\\n\\n## Affected version\\nThis was reproduced on the latest master branch, commit `[c3add7130d7d81add205edbbb75fdfd1f38b3c68]`.\\n`curl -V` output:\\ncurl 8.18.0-DEV (x86_64-pc-linux-gnu) libcurl\/8.18.0-DEV OpenSSL\/3.5.4 zlib\/1.3.1 libpsl\/0.21.2\\nRelease-Date: [unreleased]\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss\\nFeatures: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets\\n\\nPlatform: Debian GNU\/Linux 13 (trixie ) running on x86_64.\\n\\n## Steps To Reproduce:\\n1. Clone and build the latest version of curl from the master branch.\\n2. From the project’s root directory, run the following command:\\n “`bash\\n .\/src\/curl \\”file:\/\/\/any\/dummy\/path\/..\/..\/..\/..\/..\/..\/etc\/passwd\\”\\n “`\\n3. **Expected Result:** curl should fail with an error, stating that the file was not found or that the path is invalid, as it should sanitise the `..\/` sequences.\\n4. **Actual Result:** curl successfully traverses up the directory tree and prints the contents of the `\/etc\/passwd` file to standard output.\\n\\n## Supporting Material\/References:\\nA screenshot of the terminal output is attached.\\n\\n## Impact\\n\\nThis path traversal vulnerability allows for arbitrary file read. While the impact is limited when run directly by a user on the command line, it becomes **High** or **Critical** when libcurl is used by another application that constructs `file:\/\/` URLs from untrusted user input.\\n\\nA remote attacker could abuse this to:\\n- Read sensitive configuration files (e.g., `config.php`, `.env`) containing database credentials, API keys, etc.\\n- Read application source code to find other vulnerabilities.\\n- Read system files like `\/etc\/passwd`, `\/etc\/shadow` (if running with sufficient privileges).\\n- Read private SSH keys or other sensitive user data.\\n\\nThis breaks the security boundary that should be enforced by the `file:\/\/` handler, turning any application that uses it for local file access into a potential vector for total server information disclosure.”,”published”:”2025-11-30T00:07:49″,”modified”:”2025-12-01T07:41:45″,”type”:”hackerone”,”title”:”curl: Path Traversal in file:\/\/ protocol allows Arbitrary File Read”,”source”:””,”references”:””,”id”:”H1:3445174″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3445174″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-01T08:25:47″,”description”:”## Summary:\\nThe `file:\/\/` protocol handler in curl does not properly sanitise or block path traversal sequences (`..\/`). This allows a maliciously crafted `file:\/\/` URL to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-28046","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n