Vulnerability Report: Local File Disclosure via file:// Protocol in cURL

Summary A security vulnerability has been identified that allows unauthorized local file system access via the file:// protocol in cURL, particularly when executed with elevated privileges (e.g., sudo). This could lead to sensitive data exposure, including password hashes stored in /etc/shadow. Steps to Reproduce Locating Protocol Handlers First, I searched for protocol registration in cURL's source: // Found in lib/url.c static const struct Curl_handler * const protocols[] = { &Curl_handler_dict, &Curl_handler_file, // ← This is what we're interested in &Curl_handler_ftp, ... }; Key Insight: The file handler is enabled by default in the protocols array. Examining the File Protocol Handler I traced the file handler implementation: // lib/file.c static CURLcode file_do(struct Curl_easy *data, bool *done) { char *path = data->state.up.path; // ← Raw path from URL FILE *file = fopen(path, "rb"); // ← Direct filesystem access ... } Vulnerability Found: No validation of: Path traversal sequences (../) Symbolic links Filesystem permissions 1. Basic Local File Read curl "file:///etc/passwd" # Reads system user info 2. Privileged File Access (with sudo) sudo curl "file:///etc/shadow" # Exposes password hashes echo "test" > /tmp/test_file curl "file:///tmp/test_file" sudo curl "file:///etc/shadow" # Expected Output: root:*: kali:$ [...] References cURL Security Documentation - Official security considerations for cURL CURLOPT_PROTOCOLS man page - Protocol restriction options ## Impact Confidentiality Breach: Read access to sensitive system files Privilege Escalation: Potential root access via hash cracking Business Impact: Critical for systems processing sensitive data Often missed in containerized environments