{“lastseen”:”2026-01-19T12:27:59″,”description”:”## Summary:\\nThe cookie parsing code in `lib\/cookie.c` contains an integer overflow vulnerability when processing the `Max-Age` attribute of HTTP cookies. The vulnerable code attempts to add the max-age value to the current timestamp without adequate overflow protection\\n\\nWhile the code includes an overflow check (`CURL_OFF_T_MAX – now \\u003c co-\\u003eexpires`), this check itself can experience integer overflow in edge cases where:\\n1. The `max-age` value is extremely large (near `CURL_OFF_T_MAX`)\\n2. The current time (`now`) is large enough that the subtraction `CURL_OFF_T_MAX – now` produces unexpected results\\n3. The addition `co-\\u003eexpires += now` occurs without proper bounds checking\\n\\nAn attacker can exploit this vulnerability by:\\n1. Controlling a web server or performing a man-in-the-middle attack\\n2. Sending HTTP responses with `Set-Cookie` headers containing extremely large `Max-Age` values\\n3. Causing curl\/libcurl to incorrectly calculate cookie expiration times\\n4. Resulting in cookies persisting beyond their intended lifetime or being immediately expired\\n\\n**Vulnerable Code Location:** `lib\/cookie.c:607-611`\\n\\n“`c\\nelse if(CURL_OFF_T_MAX – now \\u003c co-\\u003eexpires)\\n \/* would overflow *\/\\n co-\\u003eexpires = CURL_OFF_T_MAX;\\nelse\\n co-\\u003eexpires += now;\\n“`\\n\\n## Affected version\\n**Affected Versions:** curl 7.x – 8.x\\n\\n## Steps To Reproduce:\\n\\n### Vulnerable Code Flow\\n\\n1. **Cookie Header Parsing** (`parse_cookie_header()`)\\n – Parses `Max-Age` attribute from `Set-Cookie` header\\n – Calls `curlx_str_number()` to convert string to integer\\n – Handles overflow cases but with insufficient protection\\n\\n2. **Overflow Check** (Line 607)\\n “`c\\n if(CURL_OFF_T_MAX – now \\u003c co-\\u003eexpires)\\n “`\\n – This check can itself overflow when `now` is large\\n – Does not account for all edge cases\\n\\n3. **Time Addition** (Line 611)\\n “`c\\n co-\\u003eexpires += now;\\n “`\\n – Performs addition without verifying result\\n – Can wrap around on overflow\\n\\n### Exploitation Scenarios\\n\\n#### Scenario 1: Maximum Max-Age Value\\n“`http\\nHTTP\/1.1 200 OK\\nSet-Cookie: session=abc123; Max-Age=9223372036854775807; Path=\/\\n“`\\n- Max-Age set to `CURL_OFF_T_MAX` (64-bit maximum)\\n- When added to current time, may overflow\\n- Cookie may expire immediately or persist indefinitely\\n\\n#### Scenario 2: Near-Overflow Value\\n“`http\\nHTTP\/1.1 200 OK\\nSet-Cookie: tracking=xyz; Max-Age=9223372036854000000; Path=\/\\n“`\\n- Max-Age chosen to overflow when added to `time(NULL)`\\n- Bypasses overflow check due to edge case\\n- Results in incorrect expiration calculation\\n\\n#### Scenario 3: Cookie Jar Pollution\\n“`http\\nHTTP\/1.1 200 OK\\nSet-Cookie: cookie1=val; Max-Age=9223372036854775807\\nSet-Cookie: cookie2=val; Max-Age=9223372036854775806\\nSet-Cookie: cookie3=val; Max-Age=9223372036854775805\\n… (repeated many times)\\n“`\\n- Multiple cookies with overflow values\\n- Fills cookie jar with persistent cookies\\n- Causes denial of service\\n\\n—\\n\\n### PoC Server\\n\\nA malicious HTTP server has been developed to demonstrate the vulnerability:\\n\\n**File:** `poc_cookie_overflow.py`\\n\\n“`bash\\n# Run the PoC server\\npython3 poc_cookie_overflow.py\\n\\n# Server starts on http:\/\/localhost:8000\\n# Provides 4 different exploit scenarios\\n“`\\n\\n### Testing Steps\\n\\n#### Test 1: Maximum Max-Age Value\\n“`bash\\n# Test with vulnerable curl\\ncurl -c cookies.txt http:\/\/localhost:8000\/exploit1\\n\\n# Examine cookie file\\ncat cookies.txt\\n\\n# Expected (vulnerable): Cookie with incorrect expiration\\n# Expected (patched): Cookie capped at 400 days\\n“`\\n\\n#### Test 2: Near-Overflow Value\\n“`bash\\ncurl -c cookies.txt http:\/\/localhost:8000\/exploit2\\ncat cookies.txt\\n\\n# Check if overflow occurred\\npython3 -c \\”\\nimport time\\nwith open(‘cookies.txt’) as f:\\n for line in f:\\n if ‘near_overflow’ in line:\\n parts = line.split()\\n expiry = int(parts[4])\\n now = int(time.time())\\n print(f’Expiry: {expiry}’)\\n print(f’Now: {now}’)\\n print(f’Diff: {expiry – now} seconds’)\\n print(f’Days: {(expiry – now) \/ 86400} days’)\\n\\”\\n“`\\n\\n#### Test 3: Negative Max-Age\\n“`bash\\ncurl -c cookies.txt http:\/\/localhost:8000\/exploit3\\ncat cookies.txt\\n\\n# Verify cookie was expired immediately\\n“`\\n\\n#### Test 4: Cookie Jar Pollution\\n“`bash\\ncurl -c cookies.txt http:\/\/localhost:8000\/exploit4\\nwc -l cookies.txt\\n\\n# Should show 10+ cookies with overflow values\\n“`\\n\\n## Supporting Material\/References:\\n\\n- [RFC 6265 – HTTP State Management Mechanism](https:\/\/datatracker.ietf.org\/doc\/html\/rfc6265)\\n- [RFC 6265bis – Cookies (Draft)](https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-httpbis-rfc6265bis)\\n- [CWE-190: Integer Overflow or Wraparound](https:\/\/cwe.mitre.org\/data\/definitions\/190.html)\\n- [curl Security Policy](https:\/\/curl.se\/docs\/security.html)\\n\\n\\n * [attachment \/ reference]\\n\\nAttached PoC, patch files\\n\\n## Impact\\n\\n## Summary:\\n – Attacker-set session cookies persist beyond intended lifetime\\n – Users remain logged in indefinitely\\n – Session tokens cannot be properly expired\\n – Tracking cookies persist longer than allowed\\n – User privacy preferences bypassed\\n – GDPR\/privacy regulation violations\\n – Authentication cookies may expire immediately\\n – Or persist indefinitely, preventing logout\\n – Access control mechanisms compromised\\n – Malformed cookies fill up cookie storage\\n – Legitimate cookies may be evicted\\n – Application functionality degraded”,”published”:”2026-01-19T10:12:12″,”modified”:”2026-01-19T11:50:13″,”type”:”hackerone”,”title”:”curl: Cookie Max-Age Integer Overflow Vulnerability”,”source”:””,”references”:””,”id”:”H1:3516186″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3516186″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-19T12:27:59″,”description”:”## Summary:\\nThe cookie parsing code in `lib\/cookie.c` contains an integer overflow vulnerability when processing the `Max-Age` attribute of HTTP cookies. The vulnerable code attempts to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-36264","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n