{“lastseen”:”2026-01-04T11:25:49″,”description”:”## Summary\\nDuring my manual review of the file path handling logic in curl’s source code, I noticed the absence of proper validation for directory traversal sequences, which I then verified through practical testing. I discovered that curl allows unauthorized access to arbitrary files through the file:\/\/ protocol handler when directory traversal sequences (`..\/`) are used.\\n\\n## Affected version\\ncurl 8.13.0_8 (official Windows build)\\nPlatform: Windows 10\\ncurl version output:\\ncurl 8.13.0 (x86_64-pc-win32) libcurl\/8.13.0 OpenSSL\/3.0.16 (Schannel) zlib\/1.3.1 brotli\/1.1.0 zstd\/1.5.7 libidn2\/2.3.7 libpsl\/0.21.5 (+libidn2\/2.3.7) libssh2\/1.11.1 nghttp2\/1.64.0 ngtcp2\/1.12.0 nghttp3\/1.8.0\\nRelease-Date: 2025-04-02\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss\\nFeatures: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM PSL SPNEGO SSL SSPI TLS-SRP UnixSockets zstd\\n\\n## Vulnerable Code Location\\nThe vulnerability exists in `lib\/file.c` at lines 229-262 where file paths are not properly validated before opening:\\n\\n“`c\\n\/* Line 229: No validation of \\”..\/\\” sequences *\/\\nfd = curlx_open(actual_path, O_RDONLY | CURL_O_BINARY);\\n\\n\/* Similar issues at lines 253, 258, 262 *\/\\nfd = curlx_open(real_path + 1, O_RDONLY); \/\/ Line 253\\nfd = curlx_open(real_path, O_RDONLY); \/\/ Line 258\\nfd = curlx_open(real_path, O_RDONLY); \/\/ Line 262\\n\\nThis code fails to check for directory traversal sequences before opening files. When I reviewed these lines, I noticed there’s no validation to prevent paths containing `..\/` from accessing files outside the intended directory structure.\\n\\n## Steps To Reproduce\\n1. Download the official curl Windows build from: https:\/\/curl.se\/windows\/dl-8.13.0_8\/curl-8.13.0_8-win64-mingw.zip\\n2. Extract the archive and navigate to the `bin` directory\\n3. Create a test file at `C:\\\\test\\\\poc_test.txt` with content:\\nThis is a test file for Path Traversal vulnerability\\n4. Execute the following command in the same directory as curl.exe:\\n“`bash\\ncurl \\”file:\/\/..\/..\/..\/..\/test\/poc_test.txt\\”\\nDuring my testing, I observed the file contents displayed successfully, proving unauthorized access to files outside the intended directory.\\nSupporting Material\/References\\nScreenshot showing successful file access (Capture.PNG) – captured during my actual testing on Windows 10\\nProof of Concept script (final_poc.bat) demonstrating the vulnerability step by step\\nTest file used in reproduction (poc_test.txt) with the exact content I tested with\\nReference to similar vulnerability: CVE-2021-22901 (shows this pattern has occurred before)\\n\\n## Impact\\n\\nThis vulnerability allows attackers to read arbitrary files from the system when processing malicious file:\/\/ URLs. The impact includes:\\n\\nSensitive data exposure: System files (hosts, password databases), user documents, and private keys can be accessed. During my testing, I was able to read files from completely different directories, which shows how serious this is.\\nInformation disclosure: System configuration, installed software details, and network settings can be enumerated. This could provide attackers with detailed information about the target system.\\nChained attacks: Can be combined with other vulnerabilities for full system compromise. For example, reading configuration files might reveal credentials for other services.\\nRemote exploitation: Applications that process user-supplied URLs with curl (web scrapers, API clients, download managers) can be exploited remotely. Many developers don’t realize that file:\/\/ URLs can be dangerous.\\nThe severity is High because:\\n\\nNo authentication required for exploitation – any attacker can craft a malicious URL\\nAffects confidentiality of sensitive system data – the core security boundary is violated\\nPresent in the latest official release – affects all Windows users of the current version\\nSimple to exploit with minimal technical skill – I was able to reproduce it with just a few simple commands\\nThis isn’t just a theoretical issue. In my hands-on testing on Windows 10, I successfully accessed files outside the intended directory structure, proving real-world exploitability. The vulnerability is particularly concerning because curl is used in countless applications and systems worldwide.”,”published”:”2026-01-03T18:59:40″,”modified”:”2026-01-04T10:34:23″,”type”:”hackerone”,”title”:”curl: Path Traversal in curl file:\/\/ Protocol Handler Allows Unauthorized File Access”,”source”:””,”references”:””,”id”:”H1:3485930″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[“CVE-2021-22901″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3485930″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-04T11:25:49″,”description”:”## Summary\\nDuring my manual review of the file path handling logic in curl’s source code, I noticed the absence of proper validation for directory traversal…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,52,12,117,15,13,7,11,5],"class_list":["post-33874","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-hackerone","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n