Insecure WebSocket Usage in curl Documentation and Examples (CWE-319: Cleartext Transmission of Sensitive Information)

The curl source repository contains official documentation and example code that demonstrate WebSocket connections using the insecure ws:// protocol instead of the secure wss://. This misleading guidance may encourage developers to implement cleartext WebSocket endpoints, exposing users and infrastructure to eavesdropping, MITM (Man-in-the-Middle) attacks, and session hijacking. Failing to promote secure defaults in a popular open-source project creates systemic risks for downstream adopters. This report and its analysis were enhanced and generated using an AI assistant to ensure a comprehensive security review and reproducibility. Affected version Verified on the curl master branch as of August 2025. Insecure usage appears in historical releases as well. Example tested version: curl 8.1.2 (x86_64-pc-linux-gnu) libcurl/8.1.2 OpenSSL/3.0.7 zlib/1.2.13 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 nghttp2/1.51.0 Release-Date: 2023-06-12 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp ws wss Platform: Linux 5.15.0-83-generic x86_64 Steps To Reproduce: Clone or download the curl GitHub repository. Search for insecure WebSocket URIs by running: grep -rn 'ws://' ./docs/ ./examples/ Review the documentation (docs/WEBSOCKETS.md, etc.) and example code (e.g., examples/websocket-client.c) to confirm insecure ws:// references are present and no explicit security warning is provided. Validate that instructions or sample code do not require, prefer, or warn about secure WebSocket (wss://) usage. Supporting Material/References: File: docs/WEBSOCKETS.md (e.g., line 15: curl "ws://echo.websocket.org") File: examples/websocket-client.c (e.g., line 42: #define WS_URL "ws://test.websocket.org") Manual and Semgrep findings for insecure protocol patterns curl/curl GitHub repository ## Impact ## Summary: By demonstrating and failing to warn against insecure WebSocket usage (ws://), curl's documentation may lead developers to implement applications that transmit data over unencrypted channels. This enables attackers to: Eavesdrop on user data in transit Hijack sessions or inject malicious payloads Perform MiTM attacks against production services and infrastructure For a widely adopted open source tool, propagating insecure defaults has downstream and supply chain impact, potentially affecting thousands of projects. Severity is High, and the most relevant CWE is CWE-319: Cleartext Transmission of Sensitive Information.