{“lastseen”:”2025-12-17T13:49:28″,”description”:”## Summary:\\nA security feature bypass exists in `libcurl` when built with the **wolfSSL** backend and **HTTP\/3** support. The Certificate Pinning feature (`–pinnedpubkey`) is silently ignored if the user also disables peer verification `-k` or `–insecure `) . This behavior is inconsistent with other backends (like OpenSSL) and exposes connections to Man-in-the-Middle attacks.\\n\\n\\n## Affected version\\nReproduced on `curl 8.8.0-DEV` .\\n\\n“`text\\ndocker run –rm smbd\/curl-http3-wolfssl:5.7.0 curl -V\\ncurl 8.8.0-DEV (x86_64-pc-linux-gnu) libcurl\/8.8.0-DEV wolfSSL\/5.7.0 zlib\/1.2.13 nghttp2\/1.52.0 ngtcp2\/1.5.0 nghttp3\/1.3.0\\nRelease-Date: [unreleased]\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps telnet tftp\\nFeatures: alt-svc AsynchDNS HSTS HTTP2 HTTP3 IPv6 Largefile libz SSL threadsafe UnixSockets\\n\\n“`\\n\\n## Steps To Reproduce:\\n\\nWe compare the behavior of a standard build (OpenSSL) versus the vulnerable build (wolfSSL) using a **bogus** pinned hash (`AAAA…`) against a valid server (`google.com`).\\n\\n 1. **Control Test (Standard OpenSSL ):**\\n\\n Run: `curl -k –pinnedpubkey \\”sha256\/\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\\” https:\/\/www.google.com\/`\\n\\n **Result:** `curl: (90) SSL: public key does not match pinned public key`\\n\\n\\n 2. **Exploit Test (Vulnerable wolfSSL + HTTP\/3 build):**\\n\\n Run the same command using the vulnerable environment (reproduced here via Docker `smbd\/curl-http3-wolfssl:5.7.0`) :\\n\\n `docker run –rm smbd\/curl-http3-wolfssl:5.7.0 curl -v –http3 -k –pinnedpubkey \\”sha256\/\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\\” https:\/\/www.google.com\/`\\n\\n\\n\\n\\n **Result:** ` docker run –rm smbd\/curl-http3-wolfssl:5.7.0 curl -v –http3 -k –pinnedpubkey \\”sha256\/\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\\” https:\/\/www.google.com\/\\n % Total % Received % Xferd Average Speed Time Time Time Current\\n Dload Upload Total Spent Left Speed\\n 0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0* Host www.google.com:443 was resolved.\\n* IPv6: 2800:3f0:4001:83c::2004\\n* IPv4: 172.217.30.68\\n* Trying 172.217.30.68:443…\\n* Trying [2800:3f0:4001:83c::2004]:443…\\n* Immediate connect fail for 2800:3f0:4001:83c::2004: Network is unreachable\\n* Trying 172.217.30.68:443…\\n* Connected to www.google.com (172.217.30.68) port 443\\n* successfully set certificate verify locations:\\n* CAfile: \/etc\/ssl\/certs\/ca-certificates.crt\\n* CApath: \/etc\/ssl\/certs\\n* ALPN: curl offers h2,http\/1.1\\n 0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0* Connected to www.google.com (172.217.30.68) port 443\\n* using HTTP\/3\\n* [HTTP\/3] [0] OPENED stream for https:\/\/www.google.com\/\\n* [HTTP\/3] [0] [:method: GET]\\n* [HTTP\/3] [0] [:scheme: https]\\n* [HTTP\/3] [0] [:authority: www.google.com]\\n* [HTTP\/3] [0] [:path: \/]\\n* [HTTP\/3] [0] [user-agent: curl\/8.8.0-DEV]\\n* [HTTP\/3] [0] [accept: *\/*]\\n\\u003e GET \/ HTTP\/3\\n\\u003e Host: www.google.com\\n\\u003e User-Agent: curl\/8.8.0-DEV\\n\\u003e Accept: *\/*\\n\\u003e \\n* Request completely sent off\\n\\u003c HTTP\/3 200 \\n\\u003c date: Tue, 16 Dec 2025 16:44:58 GMT\\n\\u003c expires: -1\\n\\u003c cache-control: private, max-age=0\\n\\u003c content-type: text\/html; charset=ISO-8859-1\\n\\u003c content-security-policy-report-only: object-src ‘none’;base-uri ‘self’;script-src ‘nonce-zhAjavKpmSo8XJCkxA_NgQ’ ‘strict-dynamic’ ‘report-sample’ ‘unsafe-eval’ ‘unsafe-inline’ https: http:;report-uri https:\/\/csp.withgoogle.com\/csp\/gws\/other-hp\\n\\u003c accept-ch: Sec-CH-Prefers-Color-Scheme\\n\\u003c p3p: CP=\\”This is not a P3P policy! See g.co\/p3phelp for more info.\\”\\n\\u003c server: gws\\n\\u003c x-xss-protection: 0\\n\\u003c x-frame-options: SAMEORIGIN\\n\\u003c set-cookie: __Secure-STRP=AD6DoguQyJNF6fdQjWRffsBqL5E7sCEdu2diQU92k64Obdab6qaZZ_YrOXrt5mjSi_mZUvgnouZxGUgkqQQ0qUaPWIKNTV8dktGI; expires=Tue, 16-Dec-2025 16:49:58 GMT; path=\/; domain=.google.com; Secure; SameSite=strict\\n\\u003c set-cookie: AEC=AaJma5sy9-_cBlJAKCzRhnuHw8Hi2jSxiSB0qdTwn8F7JAvuHTabjD7SuO4; expires=Sun, 14-Jun-2026 16:44:58 GMT; path=\/; domain=.google.com; Secure; HttpOnly; SameSite=lax\\n\\u003c set-cookie: NID=527=UAu9nT29vQQ1b9IRZfHQWcggNUyZO7X6TTM2XOkZfaPi93mxevHPyD3CB1KhkeUivwLhDrFjkCOg1iVwpetsU5zpb7HuBvlYJxY0sFo_V2wH_u2IJ4IvB-pyvLSn4YsS-qeG5RWrGwQy1hEHoNLK-PByHY1YI_10N-Jred14vtoFNySz1nc0la5zEC8qWvqhVzf0davySmgyeGedns-JHN2ceE3i_Tdh; expires=Wed, 17-Jun-2026 16:44:58 GMT; path=\/; domain=.google.com; HttpOnly\\n\\u003c set-cookie: __Secure-BUCKET=CN8C; expires=Sun, 14-Jun-2026 16:44:58 GMT; path=\/; domain=.google.com; Secure; HttpOnly\\n\\u003c alt-svc: h3=\\”:443\\”; ma=2592000,h3-29=\\”:443\\”; ma=2592000\\n\\u003c accept-ranges: none\\n\\u003c vary: Accept-Encoding\\n\\u003c \\n{ [104 bytes data]\\n\\u003c!doctype html\\u003e\\u003chtml itemscope=\\”\\” itemtype=\\”http:\/\/schema.org\/WebPage\\” lang=\\”fr-CM\\”\\u003e\\u003chead\\u003e\\u003cmeta content=\\”text\/html; charset=UTF-8\\” http-equiv=\\”Content-Type\\”\\u003e\\u003cmeta content=\\”\/images\/branding\/googleg\/1x\/googleg_standard_color_128dp.png\\” itemprop=\\”image\\”\\u003e\\u003ctitle\\u003eGoogle\\u003c\/title\\u003e\\u003cscript nonce=\\”zhAjavKpmSo8XJCkxA_NgQ\\”\\u003e(function(){var _g={kEI:’ioxBaZb1NrTU5OUPqOCEUQ’,kEXPI:’0,203004,45,1101175,4,2,4,3030729,344796,270476,5262392,36811500,25228681,217550,30632,7033,2105,4600,6553,50098,14067,61059,28338,48236,28322,3,2749,7714,6975,7774,15974,2662,4719,27257,19845,9881,36458,20879,1018,4372,4532,1760,16179,2646,101,2,4,1,4434,12368,2305,5031,1472,2,13032,1382,4,1514,578,2777,195,572,2869,2374,2,4205,5,1789,17,8476,1430,4384,2,876,2229,5089,19,3007,14,782,20847,2407,12338,1031,1034,1197,3106,845,2047,1,1,7,437,1128,3,2842,9,27,8,3055,1012,1745,4,3510,3,11680,4,2170,73,241,296,5,1113,389,4,298,901,1448,5,4819,15,734,298,4309,2806,2138,1275,7,1786,1048,2,2434,690,741,988,1084,3780,4,93,2561,2,5375,4,343,7,606,67,1582,4,1882,6,2,2,2,680,812,745,3310,483,746,5,465,793,1,2,1033,22,323,3,1359,3,2140,3,2788,49,10,215,441 …………………………………..`\\n\\n\\n**Root Cause Analysis:**\\n\\nThe issue is located in `lib\/vquic\/vquic-tls.c`. The logic that triggers the pinning check (`Curl_wssl_verify_pinned`) appears to be conditionally skipped or improperly handled when the primary verification (`verifyhost`) is disabled via configuration. Unlike the OpenSSL implementation, the wolfSSL wrapper for QUIC does not treat Pinning as an independent check.\\n\\n## Impact\\n\\nThis vulnerability allows a Man-in-the-Middle (MitM) attacker to intercept and decrypt traffic, even when the user has explicitly configured Certificate Pinning to prevent such attacks.”,”published”:”2025-12-16T20:31:04″,”modified”:”2025-12-17T13:21:24″,”type”:”hackerone”,”title”:”curl: Certificate Pinning Bypass with wolfSSL backend over HTTP\/3″,”source”:””,”references”:””,”id”:”H1:3468098″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3468098″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-17T13:49:28″,”description”:”## Summary:\\nA security feature bypass exists in `libcurl` when built with the **wolfSSL** backend and **HTTP\/3** support. The Certificate Pinning feature (`–pinnedpubkey`) is silently ignored…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-31541","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n