{“lastseen”:”2026-01-19T12:27:59″,”description”:”## Summary:\\nThe cookie replacement logic in `lib\/cookie.c` contains a use-after-free vulnerability in the `replace_existing()` function. The function modifies a linked list while iterating over it, creating potential for memory corruption in concurrent or complex cookie operations.\\n\\n**Vulnerable Code Location:** `lib\/cookie.c:822-925`\\n\\n“`c\\nstatic bool replace_existing(struct Curl_easy *data,\\n struct Cookie *co,\\n struct CookieInfo *ci,\\n bool secure,\\n bool *replacep)\\n{\\n bool replace_old = FALSE;\\n struct Curl_llist_node *replace_n = NULL;\\n struct Curl_llist_node *n;\\n \\n \/\/ Iterate over cookie list\\n for(n = Curl_llist_head(\\u0026ci-\\u003ecookielist[myhash]); n; n = Curl_node_next(n)) {\\n struct Cookie *clist = Curl_node_elem(n);\\n \/\/ … comparison logic …\\n if(replace_old)\\n replace_n = n; \/\/ Store node for later deletion\\n }\\n \\n \/\/ Delete node after iteration\\n if(replace_n) {\\n struct Cookie *repl = Curl_node_elem(replace_n);\\n co-\\u003ecreationtime = repl-\\u003ecreationtime; \/\/ Access freed memory\\n Curl_node_remove(replace_n);\\n freecookie(repl, TRUE); \/\/ Free memory\\n }\\n}\\n“`\\n\\n## Affected version\\ncurl 7.x – 8.x\\n\\n## Steps To Reproduce:\\n\\n### PoC Server\\n\\nA race condition server has been developed to trigger the vulnerability:\\n\\n**File:** `poc_cookie_uaf.py`\\n\\n“`bash\\n# Run the PoC server\\npython3 poc_cookie_uaf.py\\n\\n# Server starts on http:\/\/localhost:8000\\n# Provides 3 different exploit scenarios\\n“`\\n\\n### Testing with AddressSanitizer\\n\\n**CRITICAL:** This vulnerability requires AddressSanitizer to detect reliably.\\n\\n#### Build curl with ASan\\n\\n“`bash\\ncd curl\\nexport CFLAGS=\\”-fsanitize=address -fno-omit-frame-pointer -g\\”\\nexport LDFLAGS=\\”-fsanitize=address\\”\\n.\/buildconf\\n.\/configure –enable-debug –disable-shared\\nmake clean\\nmake\\n“`\\n\\n#### Test 1: Rapid Cookie Replacement\\n\\n“`bash\\n# Single request with 50 cookies\\n.\/src\/curl -c cookies.txt http:\/\/localhost:8000\/exploit1\\n\\n# Check for ASan errors\\n# Look for: \\”heap-use-after-free\\”\\n“`\\n\\n**Expected ASan Output (if vulnerable):**\\n“`\\n==12345==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001234\\nREAD of size 8 at 0x602000001234 thread T0\\n #0 0x… in replace_existing lib\/cookie.c:915\\n #1 0x… in Curl_cookie_add lib\/cookie.c:1234\\n #2 0x… in Curl_http_input_auth lib\/http.c:567\\n“`\\n\\n#### Test 2: Concurrent Requests\\n\\n“`bash\\n# Trigger race conditions with concurrent requests\\nfor i in {1..20}; do\\n .\/src\/curl -c cookies_$i.txt http:\/\/localhost:8000\/exploit2 \\u0026\\ndone\\nwait\\n\\n# Check for crashes or ASan errors\\n“`\\n\\n#### Test 3: Complex Replacement Patterns\\n\\n“`bash\\n# Test edge cases\\n.\/src\/curl -c cookies.txt http:\/\/localhost:8000\/exploit3\\n\\n# Run multiple times to trigger race\\nfor i in {1..100}; do\\n .\/src\/curl -c cookies_test_$i.txt http:\/\/localhost:8000\/exploit3\\ndone\\n“`\\n\\n### Verification Script\\n\\n“`python\\n#!\/usr\/bin\/env python3\\n# verify_uaf.py – Check for use-after-free indicators\\n\\nimport subprocess\\nimport sys\\n\\ndef run_test(url):\\n \\”\\”\\”Run curl and check for ASan errors\\”\\”\\”\\n result = subprocess.run(\\n [‘.\/src\/curl’, ‘-c’, ‘test.txt’, url],\\n capture_output=True,\\n text=True\\n )\\n \\n # Check for ASan errors\\n if ‘heap-use-after-free’ in result.stderr:\\n print(f\\”[VULN] Use-after-free detected: {url}\\”)\\n print(result.stderr)\\n return True\\n elif ‘double-free’ in result.stderr:\\n print(f\\”[VULN] Double-free detected: {url}\\”)\\n print(result.stderr)\\n return True\\n elif result.returncode != 0:\\n print(f\\”[CRASH] curl crashed: {url}\\”)\\n return True\\n \\n return False\\n\\n# Test all exploits\\nexploits = [\\n ‘http:\/\/localhost:8000\/exploit1’,\\n ‘http:\/\/localhost:8000\/exploit2’,\\n ‘http:\/\/localhost:8000\/exploit3’,\\n]\\n\\nvulnerable = False\\nfor exploit in exploits:\\n if run_test(exploit):\\n vulnerable = True\\n\\nif vulnerable:\\n print(\\”\\\\\\\\n[RESULT] Vulnerability confirmed!\\”)\\n sys.exit(1)\\nelse:\\n print(\\”\\\\\\\\n[RESULT] No vulnerability detected (or patched)\\”)\\n sys.exit(0)\\n“`\\n\\n## Supporting Material\/References:\\n\\n- [CWE-416: Use After Free](https:\/\/cwe.mitre.org\/data\/definitions\/416.html)\\n- [AddressSanitizer Documentation](https:\/\/github.com\/google\/sanitizers\/wiki\/AddressSanitizer)\\n- [curl Security Policy](https:\/\/curl.se\/docs\/security.html)\\n- [Memory Safety in C](https:\/\/en.wikipedia.org\/wiki\/Memory_safety)\\n\\n### Attachments\\n 1. `poc_cookie_uaf.py` – Proof of concept race condition server\\n 2. `fix_cookie_uaf.patch` – Security patch\\n\\n## Impact\\n\\n## Summary:\\n\\n – Heap corruption from use-after-free\\n – Potential for arbitrary code execution\\n – Information disclosure through freed memory\\n – Crashes from accessing freed memory\\n – Segmentation faults in cookie handling\\n – Application instability\\n – Freed cookie data may contain sensitive information\\n – Session tokens, authentication data exposed\\n – Memory layout information leaked\\n – If attacker can control freed memory contents\\n – Heap spraying techniques applicable\\n – Function pointer corruption possible”,”published”:”2026-01-19T10:27:16″,”modified”:”2026-01-19T11:50:23″,”type”:”hackerone”,”title”:”curl: Cookie Replacement Use-After-Free Vulnerability”,”source”:””,”references”:””,”id”:”H1:3516202″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3516202″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-19T12:27:59″,”description”:”## Summary:\\nThe cookie replacement logic in `lib\/cookie.c` contains a use-after-free vulnerability in the `replace_existing()` function. The function modifies a linked list while iterating over it,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-36263","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n