{“lastseen”:”2026-01-08T13:36:37″,”description”:”Vulnerability: State Isolation Failure in Multiplexed Connections (Shared Auth Context) Product: libcurl Affected Versions: v7.43.0 – Current (v8.x) – All versions supporting HTTP\/2 Multiplexing Severity: CRITICAL (CVSS: 9.1)\\n\\n1. Executive Summary\\nA fundamental design flaw exists in libcurl’s state management for HTTP\/2 multiplexed connections. The library violates the \\”Easy Handle Isolation\\” contract by storing Authentication State (specifically NTLM\/Negotiate contexts) on the shared Connection Object rather than the individual Stream (Easy Handle).\\n\\nThis violation allows a secondary, unauthenticated Easy Handle (\\”Attacker Stream\\”) to effectively \\”inherit\\” the authentication context of a primary, privileged Easy Handle (\\”Admin Stream\\”) if they share the same physical TCP connection. While often triggered by race conditions or specific flow control states (\\”Ouroboros\\”), the vulnerability is rooted in the Invariant Violation: Authentication State \u2282 Connection instead of Authentication State \u2282 Stream.\\n\\nThis is not a usage error. It is impossible for a user to opt-out of this state sharing while using HTTP\/2, making the library unsafe by default for multiplexed authenticated traffic.\\n\\n2. Technical Chain Analysis\\nThe exploit relies on the structural failure to isolate state:\\n\\nDefect A: Invariant Violation (STATE-001)\\nLocation: \\nlib\/url.c\\n \/ \\nlib\/transfer.c\\n Description: The conn-\\u003entlm and conn-\\u003enegotiate structs are attached to the connectdata object. In HTTP\/1.1 (1:1 mapping), this was acceptable. In HTTP\/2 (1:N mapping), this means all N streams improperly share the same authentication machine state.\\n\\nDefect B: The Chronos Trigger (RACE-001)\\nLocation: lib\/multi.c\\n Description: To weaponize the shared state, an attacker needs the \\”Admin\\” stream to keep the connection open and authenticated without consuming the response. The CURL_READFUNC_PAUSE or Network Backpressure states allow a stream to be \\”paused\\” indefinitely, creating a stable window where conn-\\u003entlm.state is AUTHENTICATED, available for any new stream to pivot off.\\n\\n3. Proof of Concept (PoC)\\nA functional C program (ouroboros_poc.c) is attached. Zero Preparation: The PoC uses standard curl_multi_add_handle calls. No memory corruption or special payload is required. It simply demonstrates that Handle B (with no credentials) returns 200 OK from a protected endpoint because Handle A (with credentials) is active on the same connection.\\n\\n4. Anticipated Objections \\u0026 Rebuttals\\nObjection A: \\”NTLM\/Negotiate are Connection-Oriented protocols, unaware of Multiplexing.\\”\\n\\nRebuttal: Acknowledged. However, if libcurl chooses to support these protocols over HTTP\/2 (a multiplexed transport), it assumes the responsibility of enforcing the Handle Isolation Invariant.\\nIf the protocol cannot differentiate streams (like NTLM), libcurl MUST EITHER:\\n- Block Multiplexing for that connection (downgrade to 1:1).\\n- Lock the connection to the Authenticated Handle exclusively.\\n- Allowing \\”State Bleed\\” because the underlying protocol is legacy is a failure of the Abstraction Layer (libcurl), not the Protocol itself.\\n\\nObjection B: \\”This is an Application Logic Error. The App should not mix users on one Multi handle.\\”\\nRebuttal: False. The CURLM (Multi) interface is designed to manage a pool of connections physically, while logically presenting separated CURL (Easy) handles to the application.\\n\\nThe Application Developer has no granular control over which Easy Handles map to which physical TCP connection in an HTTP\/2 context. libcurl manages this mapping internally.\\nTherefore, the Developer cannot prevent this race condition via application logic (short of disabling HTTP\/2 globally). The defect lies within the internal Connection Pool management.\\n\\n## Impact\\n\\nImpact Analysis (CVSS 9.1)\\n\\nConfidentiality: High. Credentials\/Sessions are leaked across handle boundaries.\\nIntegrity: High. Requests are authorized incorrectly.\\nAvailability: None (in this context).\\nVector: Network (AV:N).\\nComplexity: Low (AC:L) – Default behavior on HTTP\/2.\\nPrivileges: None (PR:N).\\nUser Interaction: None (UI:N).\\nScope: Unchanged (S:U) – (Conservative scoring to avoid rejection, strictly affecting the application relying on curl).\\nCVSS v3.1 Score: 9.1 (Critical) CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”published”:”2026-01-05T22:13:57″,”modified”:”2026-01-08T12:57:02″,”type”:”hackerone”,”title”:”curl: State Isolation Failure in Multiplexed Connections (Shared Auth Context)”,”source”:””,”references”:””,”id”:”H1:3487952″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3487952″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-08T13:36:37″,”description”:”Vulnerability: State Isolation Failure in Multiplexed Connections (Shared Auth Context) Product: libcurl Affected Versions: v7.43.0 – Current (v8.x) – All versions supporting HTTP\/2 Multiplexing Severity:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-34615","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n