Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

curl: stack-buffer overread during punycode conversions

Low
I
Internet Bug Bounty
Submitted None

Team Summary

Official summary from Internet Bug Bounty

libcurl's URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidentally getting returned as part of the converted string. Full advisory: https://curl.se/docs/CVE-2024-6874.html

Actions:
View on HackerOne
Reported by z2_

Vulnerability Details

Technical details and impact analysis

Buffer Over-read
Hello, I would like to report a vulnerability here, initially reported by me to the curl project. HackerOne report: https://hackerone.com/reports/2604391 CVE: CVE-2024-6874 Advisory: https://curl.se/docs/CVE-2024-6874.html Severity: Low ## Impact When converting the domain name of a URL from/to punycode with libcurl's URL API, libcurl reads past the bounds of a stack-buffer and includes adjacent stack-memory in the conversion result. This potentially leaks pointer values.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2024-6874 LOW

libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Buffer Over-read