{“lastseen”:”2025-12-13T16:45:40″,”description”:”## Summary\\n\\nA Denial of Service (DoS) vulnerability exists in the `dedotdotify()` function in `lib\/urlapi.c` that can cause excessive CPU consumption due to O(n\u00b2) time complexity when processing URLs with malicious path patterns containing many `..\/` sequences.\\n\\n## Affected Component\\n\\n- **Component**: libcurl URL API\\n- **File**: `lib\/urlapi.c`\\n- **Function**: `dedotdotify()` (lines 794-898)\\n- **Vulnerable Code**: Lines 857-866\\n\\n## Vulnerability Details\\n\\nThe `dedotdotify()` function normalizes URL paths by removing `..\/` and `.\/` sequences according to RFC 3986 Section 5.2.4. However, the implementation has a quadratic time complexity (O(n\u00b2)) vulnerability.\\n\\n### Root Cause\\n\\nWhen processing a `\/..\/` sequence, the code uses `memrchr()` to find the last `\/` in the output buffer to remove the preceding segment:\\n\\n“`c\\nelse if(is_dot(\\u0026p, \\u0026blen) \\u0026\\u0026 (ISSLASH(*p) || !blen)) {\\n \/* remove the last segment from the output buffer *\/\\n size_t len = curlx_dyn_len(\\u0026out);\\n if(len) {\\n char *ptr = curlx_dyn_ptr(\\u0026out);\\n char *last = memrchr(ptr, ‘\/’, len); \/\/ O(n) operation\\n if(last)\\n curlx_dyn_setlen(\\u0026out, last – ptr);\\n }\\n“`\\n\\nEach `memrchr()` call scans the entire current output buffer length, which is O(n). When processing a path like `\/a1\/a2\/…\/an\/..\/..`, the function:\\n1. First adds all n segments to the output buffer (buffer size grows to ~n segments)\\n2. For each `\/..\/`, calls `memrchr()` which scans the entire remaining buffer\\n3. Total operations: O(n + (n-1) + (n-2) + … + 1) = O(n\u00b2)\\n\\n### Attack Vector\\n\\nThis vulnerability is triggered in all normal URL parsing operations:\\n\\n1. **Command-line curl**: When processing user-provided URLs\\n – Code path: `src\/tool_operate.c` \u2192 `parseurlandfillconn()` \u2192 `curl_url_set()`\\n\\n2. **libcurl API**: When `CURLOPT_URL` is set\\n – Code path: `lib\/url.c:1771` \u2192 `curl_url_set()` \u2192 `parseurl()` \u2192 `dedotdotify()`\\n\\n3. **Default behavior**: Triggered when `CURLU_PATH_AS_IS` flag is not set (default)\\n – Check: `lib\/urlapi.c:1230-1233`\\n\\n### Input Size Limit\\n\\n- Maximum input length: `CURL_MAX_INPUT_LENGTH` = 8MB (8,000,000 bytes)\\n- An attacker can create paths up to this limit to maximize CPU consumption\\n\\n## Impact\\n\\n### Severity Assessment\\n\\n**CVSS v3.1 Vector**: `AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H`\\n\\n- **Attack Vector**: Network (malicious URL can be provided via HTTP request, redirect, etc.)\\n- **Attack Complexity**: Low (simple URL manipulation)\\n- **Privileges Required**: None\\n- **User Interaction**: None\\n- **Scope**: Unchanged\\n- **Confidentiality**: None\\n- **Integrity**: None\\n- **Availability**: High (CPU exhaustion leading to DoS)\\n\\n### Affected Scenarios\\n\\n1. **Web servers\/proxies** that process user-provided URLs using curl\/libcurl\\n2. **API clients** that accept external URLs\\n3. **Mobile applications** processing URLs from user input or network responses\\n4. **Any application** using curl\/libcurl to parse URLs from untrusted sources\\n\\n### Potential Consequences\\n\\n- **CPU exhaustion**: High CPU usage for extended periods\\n- **Service degradation**: Delayed response to legitimate requests\\n- **Resource starvation**: May prevent other requests from being processed\\n- **Amplification**: A single malicious URL can consume significant CPU resources\\n\\n## Proof of Concept\\n\\n### Malicious URL Pattern\\n\\n“`\\nhttp:\/\/example.com\/a1\/a2\/a3\/…\/an\/..\/..\/\\n“`\\n\\nThis pattern first adds n path segments, then processes n `..\/` sequences, causing maximum CPU consumption.\\n\\n### PoC Code\\n\\nA complete proof-of-concept is provided in `dos_PoC.c`:\\n\\n“`c\\n\/\/ Compile: gcc -o dos_PoC dos_PoC.c -lcurl\\n\/\/ Run: .\/dos_PoC\\n“`\\n\\n### Performance Measurements\\n\\nTesting results on macOS with optimized build:\\n\\n| Segments | Path Length | Processing Time | Time Ratio |\\n|———-|————-|—————–|————|\\n| 100 | 690 bytes | 0.000012s | 1.0x |\\n| 1,000 | 7,890 bytes | 0.000028s | 2.3x |\\n| 10,000 | 88,890 bytes| 0.000271s | 22.6x |\\n| 50,000 | 488,890 bytes| 0.001383s | 115.3x |\\n\\n**Analysis**:\\n- When input size increases 10x (1,000 \u2192 10,000 segments), processing time increases ~9.7x\\n- This demonstrates quadratic time complexity (approaching O(n\u00b2))\\n- With maximum allowed input (8MB), the impact would be significantly greater\\n\\n### Steps to Reproduce\\n\\n1. Compile the PoC:\\n “`bash\\n gcc -O2 -o dos_PoC dos_PoC.c -lcurl\\n “`\\n\\n2. Run the PoC:\\n “`bash\\n .\/dos_PoC\\n “`\\n\\n3. Observe the processing time increases quadratically with input size.\\n\\n4. Test with actual curl command:\\n “`bash\\n # Create malicious URL\\n MALICIOUS_URL=\\”http:\/\/example.com$(python3 -c \\”print(‘\/a’ + ‘\/a’.join(map(str, range(10000))) + ‘\/..\/’ * 10000)\\”)\\”\\n \\n # Measure time\\n time curl \\”$MALICIOUS_URL\\”\\n “`\\n\\n## Affected Versions\\n\\nThis vulnerability affects **all versions of curl\/libcurl** that include the `dedotdotify()` function. The function was introduced as part of the URL API implementation.\\n\\nThe vulnerability exists in the current codebase at:\\n- File: `lib\/urlapi.c`\\n- Function: `dedotdotify()` (line 794)\\n\\n## Recommended Mitigation\\n\\n### Short-term Workaround\\n\\nApplications can use the `CURLU_PATH_AS_IS` flag to skip path normalization:\\n- For `curl_url_set()`: Pass `CURLU_PATH_AS_IS` in flags\\n- For `CURLOPT_URL`: Use `CURLOPT_PATH_AS_IS` option\\n\\n**Note**: This workaround may have security implications if path normalization is required for security purposes.\\n\\n### Long-term Fix\\n\\nThe `dedotdotify()` function should be rewritten to achieve O(n) time complexity:\\n\\n1. **Track last slash position**: Instead of using `memrchr()` to search for the last `\/` each time, maintain a pointer or index to the last segment boundary.\\n\\n2. **Single-pass algorithm**: Process the path in a single pass, maintaining a stack or pointer array of segment boundaries.\\n\\n3. **Example approach**:\\n – Use a linked list or array to track segment boundaries\\n – When encountering `..\/`, pop from the segment stack instead of searching\\n – This reduces complexity from O(n\u00b2) to O(n)\\n\\n### Input Validation\\n\\nConsider adding path length limits specifically for `dedotdotify()` processing, independent of the overall `CURL_MAX_INPUT_LENGTH` limit.\\n\\n## Additional Information\\n\\n### Related Code References\\n\\n- Vulnerability location: `lib\/urlapi.c:857-866`\\n- Function definition: `lib\/urlapi.c:794-898`\\n- Call site: `lib\/urlapi.c:1230-1233`\\n- URL parsing entry point: `lib\/urlapi.c:901 (parseurl())`\\n\\n### Testing Environment\\n\\n- OS: macOS (darwin 25.1.0)\\n- Compiler: gcc with -O2 optimization\\n- curl: Latest source code from repository\\n\\n### Disclosure\\n\\nThis vulnerability was discovered through source code analysis and verified with proof-of-concept code. No actual exploitation attempts were made against production systems.\\n\\n## References\\n\\n- RFC 3986 Section 5.2.4: \\”Remove Dot Segments\\”\\n- curl Security Policy: https:\/\/curl.se\/docs\/security.html\\n- curl Vulnerability Disclosure Policy: https:\/\/curl.se\/dev\/vuln.html\\n\\n—\\n\\n## Reporter\\n- Jiyong Yang \/ BAEKSEOK University\\n\\n## Impact\\n\\nAn attacker can cause denial of service and excessive CPU consumption by providing a malicious URL with a path containing many `..\/` sequences. The dedotdotify() function processes such paths with O(n\u00b2) time complexity, consuming disproportionate CPU resources and potentially rendering the service unresponsive or significantly degraded. This affects any application using curl\/libcurl to parse untrusted URLs, including web servers, proxies, API clients, and mobile applications.”,”published”:”2025-12-13T07:58:59″,”modified”:”2025-12-13T16:21:36″,”type”:”hackerone”,”title”:”curl: Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization”,”source”:””,”references”:””,”id”:”H1:3463608″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3463608″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-13T16:45:40″,”description”:”## Summary\\n\\nA Denial of Service (DoS) vulnerability exists in the `dedotdotify()` function in `lib\/urlapi.c` that can cause excessive CPU consumption due to O(n\u00b2) time complexity…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-30985","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n