{“lastseen”:”2025-12-21T22:25:47″,”description”:”Summary\\nA recent migration of the Digest authentication parsing logic to the curlx_str (strparse) API introduced two functional parsing regressions in lib\/vauth\/digest.c.\\n1. Optional Whitespace (OWS) Handling\\nThe current implementation fails to skip optional whitespace after comma delimiters in WWW-Authenticate headers.\\nFor example, in a challenge such as:\\nWWW-Authenticate: Digest realm=\\”test\\”, nonce=\\”abc\\”\\nthe parser incorrectly includes the leading space in the subsequent attribute name (e.g., \\” nonce\\”), causing key lookups to fail.\\n\\n2. Escaped Quote Handling\\nThe curlx_str_quotedword() helper used to parse quoted attribute values does not correctly handle escaped characters (e.g., \\\\\\”).\\nAs a result, attribute values such as realm=\\”My \\\\\\”Cool\\\\\\” Realm\\” are truncated or fail to parse entirely. This behavior differs from the previous manual parsing implementation, which handled escaped quotes correctly.\\n\\nAn AI assistant was used only for code navigation and understanding control flow. The issue was identified and verified manually.\\n\\nAffected Version\\n\u2022\\tcurl: 8.18.0-DEV (latest master branch)\\n\u2022\\tPlatform: All (platform independent)\\n\\nSteps To Reproduce\\n1.\\tSet up a server or local listener that returns the following Digest challenge (note the space after the comma):\\nWWW-Authenticate: Digest realm=\\”test\\”, nonce=\\”xyz\\”\\n2.\\tRun : curl –digest -u user:pass http:\/\/localhost:8080\/\\n3.\\tObserve that curl fails to correctly parse the nonce and other parameters, resulting in an authentication failure (401 loop or error).\\n4.\\tRepeat with an escaped quote inside an attribute value:\\nWWW-Authenticate: Digest realm=\\”My \\\\\\”Cool\\\\\\” Realm\\”, nonce=\\”xyz\\”\\n5.\\tObserve that curl truncates the realm value or fails to parse the challenge entirely.\\n6.\\tSupporting Material \/ References\\nPoC Output (Python implementation):\\n- Testing challenge 1: nonce=\\”abc\\”,realm=\\”def\\”\\nFound realm: def\\n-\\tTesting challenge 2 (with space after comma): nonce=\\”abc\\”, realm=\\”def\\”\\nFAILED to find realm (BUG CONFIRMED: whitespace issue)\\n-\\tTesting challenge 3 (with escaped quote): nonce=\\”foo\\\\\\”bar\\”,realm=\\”def\\”\\nFAILED to find realm (BUG CONFIRMED: escape issue)\\n\\nRelevant Code (lib\/vauth\/digest.c)\\nstatic bool auth_digest_get_key_value(const char *chlg, const char *key,\\n char *buf, size_t buflen)\\n{\\n do {\\n struct Curl_str data;\\n struct Curl_str name;\\n\\n if(!curlx_str_until(\\u0026chlg, \\u0026name, 64, ‘=’) \\u0026\\u0026\\n !curlx_str_single(\\u0026chlg, ‘=’)) {\\n\\n int rc = curlx_str_quotedword(\\u0026chlg, \\u0026data, 256);\\n \/* … *\/\\n\\n if(curlx_str_cmp(\\u0026name, key)) {\\n \/* Fails when name contains leading whitespace *\/\\n \/* … *\/\\n }\\n\\n if(curlx_str_single(\\u0026chlg, ‘,’)) {\\n return false; \/* OWS after comma is not skipped *\/\\n }\\n }\\n else\\n break;\\n } while(1);\\n\\n return false;\\n}\\n\\n## Impact\\n\\nSecurity Impact\\nThis parsing regression allows a malicious or compromised server to deliberately craft RFC-compliant WWW-Authenticate headers that cause curl clients to silently fail Digest authentication.\\nIn security-sensitive environments (API clients, automation, CI\/CD, package managers), this can be abused to:\\n- Trigger repeated authentication failures (DoS-style degradation)\\n- Force fallback to weaker authentication mechanisms (e.g., Basic auth, or unauthenticated requests depending on configuration)\\n- Break integrity assumptions in automated systems that rely on Digest authentication for request validation\\n\\nBecause the headers are RFC-compliant, clients cannot distinguish between legitimate and malicious challenges, making this a protocol-level attack surface rather than simple server misconfiguration.”,”published”:”2025-12-20T11:55:02″,”modified”:”2025-12-21T21:44:32″,”type”:”hackerone”,”title”:”curl: Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes”,”source”:””,”references”:””,”id”:”H1:3473384″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3473384″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-21T22:25:47″,”description”:”Summary\\nA recent migration of the Digest authentication parsing logic to the curlx_str (strparse) API introduced two functional parsing regressions in lib\/vauth\/digest.c.\\n1. Optional Whitespace (OWS) Handling\\nThe…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-32396","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n