{“lastseen”:”2026-06-15T14:16:46″,”description”:”## Summary:\\nWhen curl accesses an `http:\/\/` origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between the proxy and the origin server, visible to the proxy operator and anyone on that network path. curl also reports `CURLINFO_SCHEME` as `\\”https\\”` to the application for what is an `http:\/\/` transfer, which can mislead application-level security logic.\\n\\nThis is a regression introduced on 2026-06-12 in [commit 73daec6](https:\/\/github.com\/curl\/curl\/commit\/73daec6620bf9983df89e8df3660bfa3b8fd501d) ([PR #21967](https:\/\/github.com\/curl\/curl\/pull\/21967)). [proxy.c:652](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/proxy.c#L652) sets `conn-\\u003escheme` to the proxy’s HTTPS scheme. `Curl_secure_context()` ([cookie.c:1273](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/cookie.c#L1273)) checks `conn-\\u003escheme-\\u003eprotocol \\u0026 CURLPROTO_HTTPS` and returns TRUE, so Secure cookies are included. Before this commit, `conn-\\u003escheme` held the origin’s scheme and Secure cookies were correctly withheld.\\n\\nThe same `conn-\\u003escheme` change causes [url.c:2505](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/url.c#L2505) to report `CURLINFO_SCHEME` as `\\”https\\”` for an `http:\/\/` origin.\\n\\n## Affected version\\n“`\\n$ curl –version\\ncurl 8.21.0-DEV (Linux) libcurl\/8.21.0-DEV OpenSSL\/3.0.20 zlib\/1.2.13 brotli\/1.0.9 zstd\/1.5.4 libpsl\/0.21.2 nghttp2\/1.52.0\\nRelease-Date: [unreleased]\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt mqtts pop3 pop3s rtsp smtp smtps telnet tftp ws wss\\nFeatures: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz PSL SSL threadsafe TLS-SRP UnixSockets zstd\\n“`\\n\\nOnly affected since commit [73daec6](https:\/\/github.com\/curl\/curl\/commit\/73daec6620bf9983df89e8df3660bfa3b8fd501d) (2026-06-12). No released version is affected. Still present on origin\/master at [79a2416](https:\/\/github.com\/curl\/curl\/commit\/79a24161ab) as of 2026-06-15.\\n\\n## Steps To Reproduce:\\n\\nA self-contained Dockerfile and patch (`fix.patch`) are attached. The Dockerfile builds three curl binaries from source: pre-regression (`c951368`), regression (`bb837dd`), and regression with the suggested fix applied. It also runs a Squid HTTPS forwarding proxy and a plain HTTP origin server that logs received cookies.\\n\\n“`bash\\ndocker build -t cookie-proxy .\\ndocker run –rm -it cookie-proxy\\n“`\\n\\nInside the container, test each binary:\\n\\n“`bash\\ncurl-safe -sv -x https:\/\/127.0.0.1:8443 –proxy-insecure -b \/tmp\/cookies.txt http:\/\/test.example:8080\/path\\ncurl-vuln -sv -x https:\/\/127.0.0.1:8443 –proxy-insecure -b \/tmp\/cookies.txt http:\/\/test.example:8080\/path\\ncurl-fixed -sv -x https:\/\/127.0.0.1:8443 –proxy-insecure -b \/tmp\/cookies.txt http:\/\/test.example:8080\/path\\n“`\\n\\nCheck what the origin received:\\n\\n“`bash\\ntail \/tmp\/origin.log\\n“`\\n\\n`curl-vuln` leaks the Secure cookie (the verbose output includes a `Cookie:` header, and the origin log confirms receipt). `curl-safe` and `curl-fixed` withhold it (no `Cookie:` header, origin log shows `RECEIVED no Cookie header`).\\n\\n## Suggested fix\\n\\nA patch is attached (`fix.patch`). `Curl_secure_context()` should check `data-\\u003estate.origin-\\u003escheme` instead of `conn-\\u003escheme`. The refactor already migrated most security checks to `data-\\u003estate.origin` but missed this function. The `conn-\\u003escheme` assignment at [proxy.c:652](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/proxy.c#L652) is still needed for SSL filter setup, so it should stay, but `Curl_secure_context()` should not read it. `Curl_xfer_is_secure()` is not affected because it has an additional `Curl_conn_is_ssl()` check that correctly excludes proxy SSL filters ([cfilters.c:693](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/cfilters.c#L693)).\\n\\n## Impact\\n\\nSecure cookies (session tokens, auth cookies, CSRF tokens) are sent in cleartext over the HTTP connection between the HTTPS proxy and the origin server. Anyone who can observe that network path can read them. The proxy operator can harvest them regardless. The `CURLINFO_SCHEME` misreporting can also trick application-level security checks (e.g. \\”only allow this action over HTTPS\\”) into treating an insecure transfer as secure.\\n\\nThe bug affects all HTTP methods (GET, HEAD, POST, PUT, DELETE, PATCH, etc.) because the Secure context check runs in `Curl_cookie_getlist` ([cookie.c:1300](https:\/\/github.com\/curl\/curl\/blob\/bb837dd\/lib\/cookie.c#L1300)), which is called from the request header construction path for every method. WebSocket upgrade requests (`ws:\/\/` through the proxy) are also affected. Any libcurl application using the cookie engine (`CURLOPT_COOKIEFILE` \/ `CURLOPT_COOKIEJAR`) through an HTTPS proxy is affected, not just the curl CLI.\\n\\nRFC violated: [RFC 6265](https:\/\/datatracker.ietf.org\/doc\/html\/rfc6265#section-5.4) Section 5.4 step 3 ties \\”secure channel\\” to the `https` URI scheme ([RFC 7230](https:\/\/datatracker.ietf.org\/doc\/html\/rfc7230#section-2.7.2) Section 2.7.2). The request uses `http:\/\/`, so Secure cookies must not be sent regardless of the TLS transport to the proxy.”,”published”:”2026-06-15T11:37:09″,”modified”:”2026-06-15T13:48:16″,”type”:”hackerone”,”title”:”curl: Secure cookies leaked to HTTP origins through HTTPS forwarding proxy”,”source”:””,”references”:””,”id”:”H1:3803415″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3803415″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-15T14:16:46″,”description”:”## Summary:\\nWhen curl accesses an `http:\/\/` origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-62672","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n