{“lastseen”:”2026-06-01T00:27:59″,”description”:”## Summary:\\n\\ncurl_easy_duphandle() creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent’s lifetime. This means the client using a cloned handle may accidentally send secrets to servers in plain text when it was already instructed not to do so.\\n\\n## Affected version\\n\\nCommit: efc3f2309e1c87c67700350f7df8da508cd307cd\\nDate: 2026-05-26.\\n\\nTested on WSL2. clang-19 w\/ ASAN and GNU ldd. I have a test bench attached you can run. It uses Python to call a C extension that uses socketpair() and direct C calls to talk to libcurl. \\n\\n## Steps To Reproduce:\\n\\n(I am really hoping the patch is super obvious.) \\n\\nUntar the attached `cyber.tgz` in the top level of curl (` tar xzf cyber.tgz`) so it creates `curl\/cyber`. `cd` into `curl\/cyber` and run `build.sh`. Then run ` .\/run.sh lib_easy.c_duphandle_hsts.py`\\n\\nWith the patch I get:\\n\\n“`\\n…\\n* Switched from HTTP to HTTPS due to HSTS =\\u003e https:\/\/x.test\/secret\\n* Alt-svc check wanted=1, allowed=1\\n* check Alt-Svc for host ‘x.test’\\n…\\n* SSL Trust: peer verification disabled\\n* TLS connect error: error:00000000:lib(0)::reason(0)\\n* OpenSSL SSL_connect: Broken pipe in connection to x.test:443 \\n* closing connection #0\\n…\\n“`\\n\\nWithout the patch I get:\\n\\n“`\\n…\\n Established connection to x.test (127.0.0.1 port 80) from port 0 \\n* using HTTP\/1.x\\n* sending last upload chunk of 115 bytes\\n* Curl_xfer_send(len=115, eos=1) -\\u003e 0, 115\\n\\u003e GET \/secret HTTP\/1.1\\nHost: x.test\\nAccept: *\/*\\nTE: gzip\\nAccept-Encoding: deflate, gzip, zstd\\nConnection: TE\\n\\n* Request completely sent off\\n\\u003c HTTP\/1.1 200 OK\\n\\u003c Content-Length: 58\\n\\u003c Connection: close\\n\\u003c Content-Type: text\/plain\\n* shutting down connection #0…\\n…\\n“`\\n\\n## Patch:\\n\\n“`c\\nFrom 4de23f2cdf034fd7d405fd262367fb792ccec6be: Mon Sep 17 00:00:00 2001\\nFrom: Adrian Johnston \\u003cajohnston54637@gmail.com\\u003e\\nDate: Fri, 29 May 2026 00:00:15 -0700\\nSubject: [PATCH] hsts_bypass_easy_duphandle\\n\\n—\\n lib\/easy.c | 3 +++\\n lib\/hsts.c | 18 ++++++++++++++++++\\n lib\/hsts.h | 1 +\\n 3 files changed, 22 insertions(+)\\n\\ndiff –git a\/lib\/easy.c b\/lib\/easy.c\\nindex a472d6ddc5..10f814d093 100644\\n— a\/lib\/easy.c\\n+++ b\/lib\/easy.c\\n@@ -1052,6 +1052,9 @@ CURL *curl_easy_duphandle(CURL *curl)\\n (void)Curl_hsts_loadfile(outcurl,\\n outcurl-\\u003ehsts, outcurl-\\u003eset.str[STRING_HSTS]);\\n (void)Curl_hsts_loadcb(outcurl, outcurl-\\u003ehsts);\\n+ \/* copy runtime-learned entries (from Strict-Transport-Security headers) *\/\\n+ if(Curl_hsts_copy(outcurl-\\u003ehsts, data-\\u003ehsts))\\n+ goto fail;\\n }\\n #endif\\n \\ndiff –git a\/lib\/hsts.c b\/lib\/hsts.c\\nindex 94738874b5..a5275200c6 100644\\n— a\/lib\/hsts.c\\n+++ b\/lib\/hsts.c\\n@@ -130,6 +130,24 @@ static CURLcode hsts_create(struct hsts *h,\\n return CURLE_OK;\\n }\\n \\n+\/* Copy all live entries from src into dst. Used by curl_easy_duphandle so the\\n+ * clone inherits runtime-learned STS entries, not just file\/callback ones. *\/\\n+CURLcode Curl_hsts_copy(struct hsts *dst, struct hsts *src)\\n+{\\n+ struct Curl_llist_node *e;\\n+ time_t now = time(NULL);\\n+ for(e = Curl_llist_head(\\u0026src-\\u003elist); e; e = Curl_node_next(e)) {\\n+ struct stsentry *sts = Curl_node_elem(e);\\n+ if(sts-\\u003eexpires \\u003e now) {\\n+ CURLcode rc = hsts_create(dst, sts-\\u003ehost, strlen(sts-\\u003ehost),\\n+ sts-\\u003eincludeSubDomains, sts-\\u003eexpires);\\n+ if(rc)\\n+ return rc;\\n+ }\\n+ }\\n+ return CURLE_OK;\\n+}\\n+\\n \/*\\n * Return the matching HSTS entry, or NULL if the given hostname is not\\n * currently an HSTS one.\\ndiff –git a\/lib\/hsts.h b\/lib\/hsts.h\\nindex d4c7fe826b..1ff1667759 100644\\n— a\/lib\/hsts.h\\n+++ b\/lib\/hsts.h\\n@@ -65,6 +65,7 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data,\\n CURLcode Curl_hsts_loadfiles(struct Curl_easy *data);\\n \\n bool Curl_hsts_applies(struct hsts *h, const struct Curl_peer *dest);\\n+CURLcode Curl_hsts_copy(struct hsts *dst, struct hsts *src);\\n \\n #else\\n #define Curl_hsts_cleanup(x)\\n–\\n2.51.0\\n“`\\n\\n## Impact\\n\\n## Summary:\\n\\nThis is not an \\”attack vector.\\” It just introduces the risk that clients of libcurl using it in a particular manner may accidentally send secrets like passwords or API keys in plain text when the server has instructed them not to.\\n\\nI spent a lot of time working on this and reviewed and tested the information I am sending you carefully. If you have an issue with me using AI I understand. I find it is a productivity multiplier even if I have to spend 1\/2 my time teaching it how to be a senior engineer over and over.”,”published”:”2026-05-29T09:18:15″,”modified”:”2026-06-01T00:17:12″,”type”:”hackerone”,”title”:”curl: Low priority HSTS bypass in curl_easy_duphandle()”,”source”:””,”references”:””,”id”:”H1:3769293″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3769293″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-01T00:27:59″,”description”:”## Summary:\\n\\ncurl_easy_duphandle() creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-58710","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n