Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

curl doesn't hide credentials in /proc/XXX/cmdline provided via CLI arguments

Medium
C
curl
Submitted None
Actions:
View on HackerOne
Reported by stogusho

Vulnerability Details

Technical details and impact analysis

Cleartext Transmission of Sensitive Information
## Summary: `cleanarg` helper func doesn't work, when credentials are provided without a whitespace to a short options flag, e.g. `-uUSER:PASS` vs `-u USER:PASS` or `-UUSER:PASS` vs `-U UUSER:PASS` ## Affected version ``` curl -V curl 8.12.1 (x86_64-pc-linux-musl) libcurl/8.12.1 OpenSSL/3.3.3 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 Release-Date: 2025-02-13 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd ``` ## Steps To Reproduce: [add details for how we can reproduce the issue] Run these commands in Linux environment (tested in zsh, bash, posix sh) 1. run curl `curl 8.8.8.8:444 -u user:pass -ufoo:bar -U baz:qux -U123:456 --user USER:PASS` using root or other user 2. run `ps ax` in another terminal on the same host under another unprivileged user: ``` $ ps ax | grep ' [c]url 8' 283299 ? Ss 0:00 curl 8.8.8.8:444 -u -ufoo:bar -U -U123:456 --user ``` 3. ``` $ cat /proc/283299/cmdline | tr '\0' '\n' curl 8.8.8.8:444 -u -ufoo:bar -U -U123:456 --user ``` ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] Initial implementation: https://github.com/curl/curl/commit/7f67a28c2a2ee81b0998e57a10bccbdfe9078fd7 Documentation discussion https://github.com/curl/curl/issues/3680, a note added into docs https://github.com/curl/curl/commit/2af732f364e4734a5a5fd432c77a374e84e5d76c ## Impact ## Summary: curl fails to mask sensitive arguments (e.g., passwords) when passed via the command line without a whitespace separator. As a result, these arguments remain visible in system process listings (ps aux, /proc/<pid>/cmdline), posing a security risk. Impact: Any user on the system can view sensitive information by inspecting running processes. This can lead to unauthorized access, credential leaks, and potential security breaches.

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Cleartext Transmission of Sensitive Information