TOPCURL.md

Top reports from curl program at HackerOne:

1. CVE-2021-22901: TLS session caching disaster to curl - 70 upvotes, $2000
2. curl overwrite local file with -J to curl - 52 upvotes, $700
3. CVE-2020-8286: Inferior OCSP verification to curl - 49 upvotes, $900
4. CVE-2020-8284: trusting FTP PASV responses to curl - 30 upvotes, $700
5. Windows Privilege Escalation: Malicious OpenSSL Engine to curl - 23 upvotes, $200
6. An integer overflow found in /lib/urlapi.c to curl - 23 upvotes, $150
7. Partial password leak over DNS on HTTP redirect to curl - 21 upvotes, $400
8. CVE-2022-27776: Auth/cookie leak on redirect to curl - 18 upvotes, $0
9. CVE-2021-22945: UAF and double-free in MQTT sending to curl - 14 upvotes, $1000
10. Heap Buffer Overflow at lib/tftp.c to curl - 13 upvotes, $200
11. CVE-2022-35252: control code in cookie denial of service to curl - 13 upvotes, $0
12. Connect-only connections can use the wrong connection to curl - 11 upvotes, $500
13. Heap buffer overflow in TFTP when using small blksize to curl - 11 upvotes, $250
14. CVE-2021-22897: schannel cipher selection surprise to curl - 10 upvotes, $800
15. SMB access smuggling via FILE URL on Windows to curl - 9 upvotes, $400
16. CVE-2021-22946: Protocol downgrade required TLS bypassed to curl - 8 upvotes, $1000
17. CVE-2022-27778: curl removes wrong file on error to curl - 8 upvotes, $0
18. CVE-2021-22947: STARTTLS protocol injection via MITM to curl - 7 upvotes, $1500
19. CVE-2021-22890: TLS 1.3 session ticket proxy host mixup to curl - 7 upvotes, $0
20. CVE-2022-32208: FTP-KRB bad message verification to curl - 7 upvotes, $0
21. krb5: double-free in read_data() after realloc() fail to curl - 6 upvotes, $200
22. --libcurl code injection via trigraphs to curl - 6 upvotes, $0
23. CVE-2022-27774: Credential leak on redirect to curl - 6 upvotes, $0
24. CVE-2022-27780: percent-encoded path separator in URL host to curl - 6 upvotes, $0
25. CVE-2021-22898: TELNET stack contents disclosure to curl - 5 upvotes, $1000
26. CVE-2021-22876: Automatic referer leaks credentials to curl - 5 upvotes, $800
27. Github wikis are editable by anyone #Githubwikistakeover to curl - 5 upvotes, $0
28. Remote memory disclosure vulnerability in libcurl on 64 Bit Windows to curl - 5 upvotes, $0
29. CVE-2022-22576: OAUTH2 bearer bypass in connection re-use to curl - 5 upvotes, $0
30. CVE-2022-30115: HSTS bypass via trailing dot to curl - 5 upvotes, $0
31. CVE-2022-42915: HTTP proxy double-free to curl - 5 upvotes, $0
32. CVE-2021-22924: Bad connection reuse due to flawed path name checks to curl - 4 upvotes, $1200
33. Signed integer overflow in tool_progress_cb() to curl - 4 upvotes, $0
34. Invalid write (or double free) triggers curl command line tool crash to curl - 4 upvotes, $0
35. Integer overflows in tool_operate.c at line 1541 to curl - 4 upvotes, $0
36. SSRF via maliciously crafted URL due to host confusion to curl - 4 upvotes, $0
37. CVE-2022-27775: Bad local IPv6 connection reuse to curl - 4 upvotes, $0
38. CVE-2022-27779: cookie for trailing dot TLD to curl - 4 upvotes, $0
39. CVE-2022-27782: TLS and SSH connection too eager reuse to curl - 4 upvotes, $0
40. Memory leak in CURLOPT_XOAUTH2_BEARER to curl - 4 upvotes, $0
41. Credential leak on redirect to curl - 4 upvotes, $0
42. CVE-2022-27781: CERTINFO never-ending busy-loop to curl - 4 upvotes, $0
43. CVE-2022-32206: HTTP compression denial of service to curl - 4 upvotes, $0
44. CVE-2022-32205: Set-Cookie denial of service to curl - 4 upvotes, $0
45. CVE-2022-35260: .netrc parser out-of-bounds access to curl - 4 upvotes, $0
46. CVE-2021-22925: TELNET stack contents disclosure again to curl - 3 upvotes, $800
47. CVE-2021-22922: Wrong content via metalink not discarded to curl - 3 upvotes, $700
48. CVE-2021-22923: Metalink download sends credentials to curl - 3 upvotes, $700
49. Active Mixed Content over HTTPS to curl - 3 upvotes, $0
50. curl overwrites local file with -J option if file non-readable, but file writable. to curl - 3 upvotes, $0
51. Poll loop/hang on incomplete HTTP header to curl - 3 upvotes, $0
52. Integer overflow in the source code tool_cb_prg.c to curl - 3 upvotes, $0
53. Denial of Service vulnerability in curl when parsing MQTT server response to curl - 3 upvotes, $0
54. CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars to curl - 3 upvotes, $0
55. CVE-2022-32207: Unpreserved file permissions to curl - 3 upvotes, $0
56. CVE-2022-32221: POST following PUT confusion to curl - 3 upvotes, $0
57. CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport to curl - 2 upvotes, $1000
58. Abusing URL Parsers by long schema name to curl - 2 upvotes, $0
59. Heap Buffer Overflow (READ of size 1) in ourWriteOut to curl - 2 upvotes, $0
60. Libcurl ocasionally sends HTTPS traffic to port 443 rather than specified port 8080 to curl - 2 upvotes, $0
61. Integer overlow in "header_append" function to curl - 2 upvotes, $0
62. curl on Windows can be forced to execute code via OpenSSL environment variables to curl - 2 upvotes, $0
63. Binary output bypass to curl - 2 upvotes, $0
64. CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster to curl - 2 upvotes, $0
65. Cookie injection from non-secure context to curl - 2 upvotes, $0
66. Heap overflow via HTTP/2 PUSH_PROMISE to curl - 2 upvotes, $0
67. Credential leak when use two url to curl - 2 upvotes, $0
68. CVE-2022-42916: HSTS bypass via IDN to curl - 2 upvotes, $0
69. Insecure Frame (External) to curl - 1 upvotes, $0
70. Parallel upload hangs curl if upload file not found to curl - 1 upvotes, $0
71. CVE-2020-8285: FTP wildcard stack overflow to curl - 1 upvotes, $0
72. libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823 to curl - 1 upvotes, $0
73. Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time to curl - 1 upvotes, $0
74. Division by zero if terminal width is 2 to curl - 1 upvotes, $0
75. Unexpected access to process open files via file:///proc/self/fd/n to curl - 1 upvotes, $0
76. use after free in cookie.c to curl - 1 upvotes, $0
77. Potential invocation of qsort on uninitialized memory during cookie save to curl - 1 upvotes, $0
78. Resource leak when using a normal site as DOH server to curl - 1 upvotes, $0
79. Buffer write overflow when forming dns over http request to curl - 1 upvotes, $0
80. Integer overflow at line 1603 in the src/operator.c file to curl - 1 upvotes, $0
81. huge COLUMNS causes progress-bar to buffer overflow to curl - 1 upvotes, $0
82. Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c to curl - 1 upvotes, $0
83. Proxy-Authorization header carried to a new host on a redirect to curl - 1 upvotes, $0
84. Occasional use-after-free in multi_done() libcurl-7.81.0 to curl - 1 upvotes, $0
85. Use of Unsafe function || Strcpy to curl - 1 upvotes, $0
86. curl proceeds with unsafe connections when -K file can't be read to curl - 1 upvotes, $0
87. Certificate authentication re-use on redirect to curl - 1 upvotes, $0
88. error parse uri path in curl to curl - 1 upvotes, $0
89. KRB-FTP: Security level downgrade to curl - 1 upvotes, $0
90. curl "globbing" can lead to denial of service attacks to curl - 1 upvotes, $0
91. Port and service scanning on localhost due to improper URL validation. to curl - 0 upvotes, $0
92. Data race conditions reported by helgrind when performing parallel DNS queries in libcurl to curl - 0 upvotes, $0
93. Only OpenSSL handles a CRL when passed in via CApath to curl - 0 upvotes, $0
94. curl successfully matches IP address literal in URL against IP address literal in certificate Common Name to curl - 0 upvotes, $0
95. Curl_auth_create_plain_message integer overflow leads to heap buffer overflow to curl - 0 upvotes, $0
96. curl still vulnerable to SMB access smuggling via FILE URL on Windows to curl - 0 upvotes, $0
97. Incorrect IPv6 literal parsing leads to validated connection to unexpected https server. to curl - 0 upvotes, $0
98. Double-free of trailers_buf' on Curl_http_compile_trailers()` failure to curl - 0 upvotes, $0
99. match to curl - 0 upvotes, $0
100. Integer overflows in unescape_word() to curl - 0 upvotes, $0