Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

-H with space prefix leads to previous header injection when used with --proxy

Medium
C
curl
Submitted None
Actions:
View on HackerOne
Reported by spongebhav

Vulnerability Details

Technical details and impact analysis

Improper Check or Handling of Exceptional Conditions
## Summary: Hi team, I hope you're doing well. Recently I came accross this weird curl behavior where -H "[space]header: value" would inject the header in the previous HTTP header. Tried it on mac OS Sequoia 15.1 with curl version ``` curl 8.11.0 (aarch64-apple-darwin24.1.0) libcurl/8.11.0 OpenSSL/3.4.0 (SecureTransport) zlib/1.2.12 brotli/1.1.0 zstd/1.5.6 AppleIDN libssh2/1.11.1 nghttp2/1.64.0 librtmp/2.3 Release-Date: 2024-11-06 ``` Weirdly, this only seems to work when --proxy argument exists. ## Steps To Reproduce: ```bash curl -X GET "https://iaw2x2g8gw7mfnouqxj3z2hc036uunic.oastify.com" -H "Secure-Header: XYZ" -H " new-header-that-will-inject-to-previous-header: value" --proxy 127.0.0.1:8080 ``` Resulting request: {F3789552} when the first header itself contains space, the behavior will again be to attach to previous header: ``` curl -X GET "https://iaw2x2g8gw7mfnouqxj3z2hc036uunic.oastify.com" -H " new-header-that-will-inject-to-previous-header: value" --proxy 127.0.0.1:8080 ``` {F3789554} Without proxy argument however, the behavior is normal and it will send them in new lines: ``` curl -X GET "https://iaw2x2g8gw7mfnouqxj3z2hc036uunic.oastify.com" -H " new-header-that-will-inject-to-previous-header: value" ``` Resulting request: {F3789556} This also works with -H @file.txt where the file begins with the space. I do not have an exact scenerio where this can be exploited, however, since curl is so widely used, I can imagine a scenerio where @file.txt or a single header name input may be attacker controlled in someway, which can lead to malformed requests to servers. Also, if request like this is sent: ``` curl -X GET "https://iaw2x2g8gw7mfnouqxj3z2hc036uunic.oastify.com" -H " new-header-that-will-inject-to-previous-header: value" -H @headers2.txt -H 'User-Agent:' -H 'Accept:' --proxy 127.0.0.1:8080 ``` The headers will directly attach to Host header, which may lead to incorrect logging, and introduce other issues depending upon the program. {F3789609} Since, headers field-name can't contain spaces anyway, stripping them and always adding them to new line would be prefect solution. ## Impact Previous header/ previous line injection via -H

Report Details

Additional information and metadata

State

Closed

Substate

Not-Applicable

Submitted

Weakness

Improper Check or Handling of Exceptional Conditions