Improper Certificate Validation Affecting curl package, versions [8.5.0,8.14.0)

curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features.

Affected versions of this package are vulnerable to Improper Certificate Validation through pinning of the server certificate public key for HTTPS transfers. An attacker can impersonate a legitimate server and intercept or manipulate communications by presenting a fraudulent certificate that the client fails to properly verify.

Note:

This only affects users connecting with QUIC for HTTP/3 while the TLS backend is wolfSSL. Beware that while curl versions before 8.5.0 are not strictly considered vulnerable to this flaw, certificate pinning for QUIC with wolfSSL did not work correctly then either. But before then HTTP/3 support was labeled experimental and not presumed to work 100%.

For users that cannot upgrade the package to the fixed version it is recommended to:

1. Apply the patch to your local version or
2. Avoid using HTTP/3 or certificate pinning with curl built to use wolfSSL

1. Prepare curl with WolfSSL backend.

2. curl --http3 https://google.com --pinnedpubkey sha256//ffff

It should result in an error because the specified public key and the certificate's public key are different, but no error occurs. An error occurs when using HTTP/1.1. An error occurs when the TLS backend is OpenSSL or GnuTLS.

• GitHub Commit
• HackerOne Report
• Security Advisory